Guide to the Secure Configuration of Red Hat Enterprise Linux 9

with profile DISA STIG for Red Hat Enterprise Linux 9
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V1R3. In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image
This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 9. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

This benchmark is a direct port of a SCAP Security Guide benchmark developed for Red Hat Enterprise Linux. It has been modified through an automated process to remove specific dependencies on Red Hat Enterprise Linux and to function with Rocky Linux. The result is a generally useful SCAP Security Guide benchmark with the following caveats:

  • Rocky Linux is not an exact copy of Red Hat Enterprise Linux. There may be configuration differences that produce false positives and/or false negatives. If this occurs please file a bug report.
  • Rocky Linux is a Linux distribution produced by the Rocky Enterprise Software Foundation. It is a free and open source operating system based on Red Hat Enterprise Linux with the goal "to be fully compatible" with its upstream commercial distribution. Rocky Linux has its own build system, compiler options, patchsets, and is a community supported, non-commercial operating system. Rocky Linux does not inherit certifications or evaluations from Red Hat Enterprise Linux. As such, some configuration rules (such as those requiring FIPS 140-2 encryption) will continue to fail on Rocky Linux.

Members of the Rocky Linux community are invited to participate in OpenSCAP and SCAP Security Guide development. Bug reports and patches can be sent to GitHub: https://github.com/ComplianceAsCode/content. The mailing list is at https://fedorahosted.org/mailman/listinfo/scap-security-guide.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetrockykinux-rgs-djaga2
Benchmark URL#scap_org.open-scap_comp_ssg-rhel9-xccdf.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHEL-9
Benchmark version0.1.73
Profile IDxccdf_org.ssgproject.content_profile_stig
Started at2024-08-21T12:40:12+00:00
Finished at2024-08-21T12:40:12+00:00
Performed bydjagaazure
Test systemcpe:/a:redhat:openscap:1.3.10

CPE Platforms

  • cpe:/o:rocky:rocky:9
  • cpe:/o:redhat:enterprise_linux:9

Addresses

  • IPv4  127.0.0.1
  • IPv4  10.212.3.250
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:6245:bdff:fe98:a236
  • MAC  00:00:00:00:00:00
  • MAC  60:45:BD:98:A2:36

Compliance and Scoring

The target system did not satisfy the conditions of 15 rules! Furthermore, the results of 4 rules were inconclusive. Please review rule results and consider applying remediation.

Rule results

415 passed
15 failed
14 other

Severity of failed rules

0 other
5 low
8 medium
2 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default96.679718100.000000
96.68%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of Red Hat Enterprise Linux 9 15x fail 4x error 10x notchecked
System Settings 13x fail 3x error 7x notchecked
Installing and Maintaining Software 11x fail 3x error 2x notchecked
System and Software Integrity 5x fail 2x error
Software Integrity Checking 1x error
Verify Integrity with AIDE 1x error
Install AIDEmedium
pass
Build and Test AIDE Databasemedium
fixed
Configure AIDE to Verify the Audit Toolsmedium
fixed
Configure Periodic Execution of AIDEmedium
fixed
Configure Notification of Post-AIDE Scan Detailsmedium
fixed
Configure AIDE to Use FIPS 140-2 for Validating Hashesmedium
error
Configure AIDE to Verify Access Control Lists (ACLs)low
fixed
Configure AIDE to Verify Extended Attributeslow
fixed
Audit Tools Must Be Group-owned by Rootmedium
pass
Audit Tools Must Be Owned by Rootmedium
pass
Audit Tools Must Have a Mode of 0755 or Less Permissivemedium
pass
Federal Information Processing Standard (FIPS) 1x fail 1x error
Enable Dracut FIPS Modulehigh
fixed
Enable FIPS Modehigh
error
Set kernel parameter 'crypto.fips_enabled' to 1high
fail
System Cryptographic Policies 1x fail
Install crypto-policies packagemedium
pass
Configure BIND to use System Crypto Policyhigh
notapplicable
Configure System Cryptography Policyhigh
fixed
Configure Kerberos to use System Crypto Policyhigh
pass
Configure Libreswan to use System Crypto Policyhigh
pass
Configure OpenSSL library to use System Crypto Policymedium
pass
Configure OpenSSL library to use TLS Encryptionmedium
pass
Configure SSH to use System Crypto Policymedium
pass
Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.confighigh
pass
Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.configmedium
fail
Operating System Vendor Support and Certification 1x fail
The Installed Operating System Is Vendor Supportedhigh
fail
Endpoint Protection Software 2x fail
McAfee Endpoint Security Software 2x fail
McAfee Endpoint Security for Linux (ENSL) 2x fail
Install McAfee Endpoint Security for Linux (ENSL)medium
fail
Ensure McAfee Endpoint Security for Linux (ENSL) is runningmedium
fail
Disk Partitioning 6x fail 1x notchecked
Encrypt Partitionshigh
notchecked
Ensure /home Located On Separate Partitionlow
fail
Ensure /tmp Located On Separate Partitionlow
fail
Ensure /var Located On Separate Partitionlow
fail
Ensure /var/log Located On Separate Partitionlow
fail
Ensure /var/log/audit Located On Separate Partitionlow
fail
Ensure /var/tmp Located On Separate Partitionmedium
fail
GNOME Desktop Environment
Disable the GNOME3 Login Restart and Shutdown Buttonshigh
notapplicable
Disable the GNOME3 Login User Listmedium
notapplicable
Enable the GNOME3 Screen Locking On Smartcard Removalmedium
notapplicable
GNOME Media Settings
Disable GNOME3 Automount Openingmedium
notapplicable
Disable GNOME3 Automount runninglow
notapplicable
Configure GNOME Screen Locking
Set GNOME3 Screensaver Inactivity Timeoutmedium
notapplicable
Set GNOME3 Screensaver Lock Delay After Activation Periodmedium
notapplicable
Enable GNOME3 Screensaver Lock After Idle Periodmedium
notapplicable
Implement Blank Screensavermedium
notapplicable
Ensure Users Cannot Change GNOME3 Screensaver Settingsmedium
notapplicable
Ensure Users Cannot Change GNOME3 Session Idle Settingsmedium
notapplicable
GNOME System Settings
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3high
notapplicable
Make sure that the dconf databases are up-to-date with regards to respective keyfileshigh
notapplicable
Sudo 1x error
Install sudo Packagemedium
pass
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatemedium
pass
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDmedium
error
Require Re-Authentication When Using the sudo Commandmedium
fixed
The operating system must restrict privilege elevation to authorized personnelmedium
pass
Ensure invoking users password for privilege escalation when using sudomedium
fixed
System Tooling / Utilities
Ensure gnutls-utils is installedmedium
fixed
Ensure nss-tools is installedmedium
fixed
Install rng-tools Packagelow
pass
Install subscription-manager Packagemedium
fixed
Uninstall gssproxy Packagemedium
pass
Uninstall iprutils Packagemedium
pass
Uninstall tuned Packagemedium
pass
Updating Software 1x notchecked
Ensure dnf Removes Previous Package Versionslow
pass
Ensure gpgcheck Enabled In Main dnf Configurationhigh
pass
Ensure gpgcheck Enabled for Local Packageshigh
pass
Ensure gpgcheck Enabled for All dnf Package Repositorieshigh
pass
Ensure Red Hat GPG Key Installedhigh
pass
Ensure Software Patches Installedmedium
notchecked
Account and Access Control 1x fail 2x notchecked
Warning Banners for System Accesses
Enable GNOME3 Login Warning Bannermedium
notapplicable
Modify the System Login Bannermedium
fixed
Protect Accounts by Configuring PAM
Set Lockouts for Failed Password Attempts
Limit Password Reuse: password-authmedium
fixed
Limit Password Reuse: system-authmedium
fixed
Account Lockouts Must Be Loggedmedium
fixed
Lock Accounts After Failed Password Attemptsmedium
fixed
Configure the root Account for Failed Password Attemptsmedium
fixed
Lock Accounts Must Persistmedium
fixed
Set Interval For Counting Failed Password Attemptsmedium
fixed
Set Lockout Time for Failed Password Attemptsmedium
fixed
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersmedium
pass
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Wordsmedium
fixed
Ensure PAM Enforces Password Requirements - Minimum Different Charactersmedium
fixed
Ensure PAM Enforces Password Requirements - Enforce for root Usermedium
fixed
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersmedium
pass
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Classmedium
fixed
Set Password Maximum Consecutive Repeating Charactersmedium
fixed
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesmedium
fixed
Ensure PAM Enforces Password Requirements - Minimum Lengthmedium
fixed
Ensure PAM Enforces Password Requirements - Minimum Special Charactersmedium
pass
Ensure PAM password complexity module is enabled in password-authmedium
pass
Ensure PAM password complexity module is enabled in system-authmedium
pass
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionmedium
fixed
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersmedium
pass
Set Password Hashing Algorithm
Set Password Hashing Algorithm in /etc/libuser.confmedium
pass
Set Password Hashing Algorithm in /etc/login.defsmedium
pass
Set PAM''s Password Hashing Algorithm - password-authmedium
pass
Set Password Hashing Rounds in /etc/login.defsmedium
pass
Disallow Configuration to Bypass Password Requirements for Privilege Escalationmedium
pass
Protect Physical Console Access
Configure Screen Locking
Configure Console Screen Locking
Install the tmux Packagemedium
fixed
Support session locking with tmux (not enforcing)medium
notapplicable
Configure tmux to lock session after inactivitymedium
notapplicable
Configure the tmux Lock Commandmedium
notapplicable
Configure the tmux lock session key bindinglow
notapplicable
Prevent user from disabling the screen locklow
pass
Install the opensc Package For Multifactor Authenticationmedium
fixed
Install the pcsc-lite packagemedium
fixed
Install Smart Card Packages For Multifactor Authenticationmedium
fixed
Enable the pcscd Servicemedium
fixed
Configure opensc Smart Card Driversmedium
fixed
Disable debug-shell SystemD Servicemedium
fixed
Disable Ctrl-Alt-Del Burst Actionhigh
fixed
Disable Ctrl-Alt-Del Reboot Activationhigh
fixed
Verify that Interactive Boot is Disabledmedium
pass
Configure Logind to terminate idle sessions after certain time of inactivitymedium
notapplicable
Require Authentication for Emergency Systemd Targetmedium
pass
Require Authentication for Single User Modemedium
pass
Protect Accounts by Restricting Password-Based Login 1x fail 1x notchecked
Set Password Expiration Parameters
Set Existing Passwords Maximum Agemedium
fixed
Set Existing Passwords Minimum Agemedium
fixed
Verify Proper Storage and Existence of Password Hashes
Verify All Account Password Hashes are Shadowed with SHA512medium
pass
Set number of Password Hashing Rounds - password-authmedium
fixed
Set number of Password Hashing Rounds - system-authmedium
fixed
All GIDs referenced in /etc/passwd must be defined in /etc/grouplow
pass
Prevent Login to Accounts With Empty Passwordhigh
fixed
Ensure There Are No Accounts With Blank or Null Passwordshigh
pass
Restrict Root Logins
Verify Only Root Has UID 0high
pass
Ensure that System Accounts Do Not Run a Shell Upon Loginmedium
fixed
Enforce usage of pam_wheel for su authenticationmedium
pass
Only Authorized Local User Accounts Exist on Operating Systemmedium
fail
Ensure All Groups on the System Have Unique Group IDmedium
pass
Secure Session Configuration Files for Login Accounts 1x notchecked
Ensure that Users Have Sensible Umask Values
Ensure the Default Bash Umask is Set Correctlymedium
fixed
Ensure the Default C Shell Umask is Set Correctlymedium
fixed
Ensure the Default Umask is Set Correctly in /etc/profilemedium
fixed
Ensure the Default Umask is Set Correctly For Interactive Usersmedium
pass
Ensure the Logon Failure Delay is Set Correctly in login.defsmedium
fixed
Set Interactive Session Timeoutmedium
fixed
User Initialization Files Must Not Run World-Writable Programsmedium
pass
Ensure that Users Path Contains Only Local Directoriesmedium
notchecked
All Interactive Users Must Have A Home Directory Definedmedium
pass
All Interactive Users Home Directories Must Existmedium
pass
All Interactive User Home Directories Must Be Group-Owned By The Primary Groupmedium
pass
Ensure All User Initialization Files Have Mode 0740 Or Less Permissivemedium
fixed
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivemedium
pass
Enable authselectmedium
pass
GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configuration
Verify /boot/grub2/grub.cfg Group Ownershipmedium
notapplicable
Verify /boot/grub2/grub.cfg User Ownershipmedium
notapplicable
Set the Boot Loader Admin Username to a Non-Default Valuehigh
notapplicable
Set Boot Loader Password in grub2high
notapplicable
Enable Kernel Page-Table Isolation (KPTI)low
fixed
Disable vsyscallsmedium
fixed
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure cron Is Logging To Rsyslogmedium
pass
Ensure Rsyslog Authenticates Off-Loaded Audit Recordsmedium
fixed
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsmedium
fixed
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsmedium
fixed
Ensure remote access methods are monitored in Rsyslogmedium
fixed
systemd-journald
Enable systemd-journald Servicemedium
pass
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Servermedium
pass
Rsyslog Logs Sent To Remote Host
Ensure Logs Sent To Remote Hostmedium
fixed
Ensure rsyslog-gnutls is installedmedium
fixed
Ensure rsyslog is Installedmedium
pass
Enable rsyslog Servicemedium
pass
Network Configuration and Firewalls 1x fail 3x notchecked
firewalld 2x notchecked
Inspect and Activate Default firewalld Rules
Install firewalld Packagemedium
fixed
Verify firewalld Enabledmedium
notapplicable
Strengthen the Default Ruleset 2x notchecked
Configure the Firewalld Portsmedium
notchecked
Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systemsmedium
notchecked
Configure Firewalld to Use the Nftables Backendmedium
notapplicable
IPSec Support 1x notchecked
Install libreswan Packagemedium
fixed
Verify Any Configured IPSec Tunnel Connectionsmedium
notchecked
IPv6
Configure IPv6 Settings if Necessary
Configure Accepting Router Advertisements on All IPv6 Interfacesmedium
pass
Disable Accepting ICMP Redirects for All IPv6 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesmedium
pass
Disable Kernel Parameter for IPv6 Forwardingmedium
pass
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultmedium
pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesmedium
fixed
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultmedium
pass
Kernel Parameters Which Affect Networking
Network Related Kernel Runtime Parameters for Hosts and Routers
Disable Accepting ICMP Redirects for All IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfacesmedium
fixed
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesunknown
pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesmedium
fixed
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultmedium
pass
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultunknown
pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultmedium
pass
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesmedium
pass
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesunknown
pass
Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesmedium
pass
Network Parameters for Hosts Only
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultmedium
pass
Uncommon Network Protocols
Disable ATM Supportmedium
fixed
Disable CAN Supportmedium
fixed
Disable IEEE 1394 (FireWire) Supportlow
fixed
Disable SCTP Supportmedium
fixed
Disable TIPC Supportlow
pass
Wireless Networking
Disable Wireless Through Software Configuration
Disable Bluetooth Kernel Modulemedium
fixed
Deactivate Wireless Network Interfacesmedium
notapplicable
Network Manager
NetworkManager DNS Mode Must Be Must Configuredmedium
fixed
Configure Multiple DNS Servers in /etc/resolv.confmedium
fail
Ensure System is Not Acting as a Network Sniffermedium
pass
File Permissions and Masks
Verify Permissions on Important Files and Directories
Verify Group Who Owns Backup group Filemedium
pass
Verify Group Who Owns Backup gshadow Filemedium
pass
Verify Group Who Owns Backup passwd Filemedium
pass
Verify User Who Owns Backup shadow Filemedium
pass
Verify Group Who Owns group Filemedium
pass
Verify Group Who Owns gshadow Filemedium
pass
Verify Group Who Owns passwd Filemedium
pass
Verify Group Who Owns shadow Filemedium
pass
Verify User Who Owns Backup group Filemedium
pass
Verify User Who Owns Backup gshadow Filemedium
pass
Verify User Who Owns Backup passwd Filemedium
pass
Verify Group Who Owns Backup shadow Filemedium
pass
Verify User Who Owns group Filemedium
pass
Verify User Who Owns gshadow Filemedium
pass
Verify User Who Owns passwd Filemedium
pass
Verify User Who Owns shadow Filemedium
pass
Verify Permissions on Backup group Filemedium
pass
Verify Permissions on Backup gshadow Filemedium
pass
Verify Permissions on Backup passwd Filemedium
pass
Verify Permissions on Backup shadow Filemedium
pass
Verify Permissions on group Filemedium
pass
Verify Permissions on gshadow Filemedium
pass
Verify Permissions on passwd Filemedium
pass
Verify Permissions on shadow Filemedium
pass
Verify Permissions on Files within /var/log Directory
Verify Group Who Owns /var/log Directorymedium
pass
Verify Group Who Owns /var/log/messages Filemedium
pass
Verify User Who Owns /var/log Directorymedium
pass
Verify User Who Owns /var/log/messages Filemedium
pass
Verify Permissions on /var/log Directorymedium
pass
Verify Permissions on /var/log/messages Filemedium
pass
Verify File Permissions Within Some Important Directories
Verify that Shared Library Directories Have Root Group Ownershipmedium
pass
Verify that Shared Library Directories Have Root Ownershipmedium
pass
Verify that Shared Library Directories Have Restrictive Permissionsmedium
pass
Verify that system commands files are group owned by root or a system accountmedium
pass
Verify that System Executables Have Root Ownershipmedium
pass
Verify that Shared Library Files Have Root Ownershipmedium
pass
Verify that System Executables Have Restrictive Permissionsmedium
pass
Verify that Shared Library Files Have Restrictive Permissionsmedium
pass
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.medium
pass
Ensure All World-Writable Directories Are Owned by root Usermedium
pass
Verify that All World-Writable Directories Have Sticky Bits Setmedium
pass
Verify Permissions on /etc/audit/auditd.confmedium
pass
Verify Permissions on /etc/audit/rules.d/*.rulesmedium
pass
Ensure All Files Are Owned by a Groupmedium
pass
Ensure All Files Are Owned by a Usermedium
pass
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable the Automountermedium
notapplicable
Disable Mounting of cramfslow
fixed
Disable Modprobe Loading of USB Storage Drivermedium
fixed
Restrict Partition Mount Options
Add nosuid Option to /boot/efimedium
fixed
Add nodev Option to /bootmedium
fixed
Add nosuid Option to /bootmedium
fixed
Add nodev Option to /dev/shmmedium
fixed
Add noexec Option to /dev/shmmedium
fixed
Add nosuid Option to /dev/shmmedium
fixed
Add nodev Option to /homeunknown
notapplicable
Add noexec Option to /homemedium
pass
Add nosuid Option to /homemedium
notapplicable
Add nodev Option to Non-Root Local Partitionsmedium
fixed
Add nodev Option to Removable Media Partitionsmedium
pass
Add noexec Option to Removable Media Partitionsmedium
pass
Add nosuid Option to Removable Media Partitionsmedium
pass
Add nodev Option to /tmpmedium
notapplicable
Add noexec Option to /tmpmedium
notapplicable
Add nosuid Option to /tmpmedium
notapplicable
Add nodev Option to /var/log/auditmedium
notapplicable
Add noexec Option to /var/log/auditmedium
notapplicable
Add nosuid Option to /var/log/auditmedium
notapplicable
Add nodev Option to /var/logmedium
notapplicable
Add noexec Option to /var/logmedium
notapplicable
Add nosuid Option to /var/logmedium
notapplicable
Add nodev Option to /varmedium
notapplicable
Add nodev Option to /var/tmpmedium
notapplicable
Add noexec Option to /var/tmpmedium
notapplicable
Add nosuid Option to /var/tmpmedium
notapplicable
Restrict Programs from Dangerous Execution Patterns
Disable Core Dumps
Disable acquiring, saving, and processing core dumpsmedium
fixed
Disable core dump backtracesmedium
pass
Disable storing core dumpmedium
pass
Disable Core Dumps for All Usersmedium
fixed
Enable ExecShield
Enable ExecShield via sysctlmedium
pass
Restrict Exposed Kernel Pointer Addresses Accessmedium
pass
Enable Randomized Layout of Virtual Address Spacemedium
fixed
Memory Poisoning
Enable page allocator poisoningmedium
fixed
Enable SLUB/SLAB allocator poisoningmedium
fixed
Disable storing core dumpsmedium
fixed
Restrict Access to Kernel Message Bufferlow
fixed
Disable Kernel Image Loadingmedium
fixed
Disallow kernel profiling by unprivileged userslow
fixed
Disable Access to Network bpf() Syscall From Unprivileged Processesmedium
fixed
Restrict usage of ptrace to descendant processesmedium
fixed
Harden the operation of the BPF just-in-time compilermedium
fixed
Disable the use of user namespacesmedium
fixed
SELinux
Install policycoreutils-python-utils packagemedium
pass
Install policycoreutils Packagelow
pass
Ensure No Device Files are Unlabeled by SELinuxmedium
pass
Configure SELinux Policymedium
pass
Ensure SELinux State is Enforcinghigh
pass
Services 2x fail 1x error 2x notchecked
Base Services
Disable KDump Kernel Crash Analyzer (kdump)medium
fixed
Cron and At Daemons
Verify Group Who Owns cron.dmedium
pass
Verify Group Who Owns cron.dailymedium
pass
Verify Group Who Owns cron.denymedium
pass
Verify Group Who Owns cron.hourlymedium
pass
Verify Group Who Owns cron.monthlymedium
pass
Verify Group Who Owns cron.weeklymedium
pass
Verify Group Who Owns Crontabmedium
pass
Verify Owner on cron.dmedium
pass
Verify Owner on cron.dailymedium
pass
Verify Owner on cron.denymedium
pass
Verify Owner on cron.hourlymedium
pass
Verify Owner on cron.monthlymedium
pass
Verify Owner on cron.weeklymedium
pass
Verify Owner on crontabmedium
pass
Verify Permissions on cron.dmedium
pass
Verify Permissions on cron.dailymedium
pass
Verify Permissions on cron.hourlymedium
pass
Verify Permissions on cron.monthlymedium
pass
Verify Permissions on cron.weeklymedium
pass
Verify Permissions on crontabmedium
pass
Application Whitelisting Daemon
Install fapolicyd Packagemedium
fixed
Enable the File Access Policy Servicemedium
fixed
FTP Server
Disable vsftpd if Possible
Uninstall vsftpd Packagehigh
pass
Kerberos
Disable Kerberos by removing host keytabmedium
notapplicable
Mail Server Software
Configure SMTP For Mail Clients
Configure System to Forward All Mail For The Root Accountmedium
fixed
Configure System to Forward All Mail From Postmaster to The Root Accountmedium
pass
Configure Operating System to Protect Mail Server
Configure Postfix if Necessary
Control Mail Relaying
Prevent Unrestricted Mail Relayingmedium
notapplicable
The s-nail Package Is Installedmedium
fixed
Uninstall Sendmail Packagemedium
pass
NFS and RPC
Configure NFS Clients
Mount Remote Filesystems with Restrictive Options
Mount Remote Filesystems with Kerberos Securitymedium
notapplicable
Mount Remote Filesystems with nodevmedium
notapplicable
Mount Remote Filesystems with noexecmedium
notapplicable
Mount Remote Filesystems with nosuidmedium
notapplicable
Uninstall nfs-utils Packagelow
pass
Network Time Protocol 1x fail
The Chrony package is installedmedium
pass
The Chronyd service is enabledmedium
pass
A remote time server for Chrony is configuredmedium
pass
Disable chrony daemon from acting as serverlow
fixed
Disable network management of chrony daemonlow
fixed
Configure Time Service Maxpoll Intervalmedium
fixed
Ensure Chrony is only configured with the server directivemedium
fail
Obsolete Services
NIS
Uninstall ypserv Packagehigh
pass
Rlogin, Rsh, and Rexec
Uninstall rsh-server Packagehigh
pass
Remove Host-Based Authentication Fileshigh
pass
Remove User Host-Based Authentication Fileshigh
pass
Telnet
Uninstall telnet-server Packagehigh
pass
TFTP Server
Uninstall tftp-server Packagehigh
pass
Ensure tftp Daemon Uses Secure Modemedium
notapplicable
Network Routing
Disable Quagga if Possible
Uninstall quagga Packagelow
pass
SSH Server 1x error 1x notchecked
Configure OpenSSH Client if Necessary 1x notchecked
Verify the SSH Private Key Files Have a Passcodemedium
notchecked
Configure OpenSSH Server if Necessary 1x error
Set SSH Client Alive Count Maxmedium
fixed
Set SSH Client Alive Intervalmedium
fixed
Disable Host-Based Authenticationmedium
fixed
Enable SSH Server firewalld Firewall Exceptionmedium
error
Disable Compression Or Set Compression to delayedmedium
fixed
Disable SSH Access via Empty Passwordshigh
fixed
Disable GSSAPI Authenticationmedium
fixed
Disable Kerberos Authenticationmedium
fixed
Disable SSH Support for .rhosts Filesmedium
fixed
Disable SSH Support for User Known Hostsmedium
fixed
Disable X11 Forwardingmedium
fixed
Do Not Allow SSH Environment Optionsmedium
fixed
Enable PAMmedium
pass
Enable Public Key Authenticationmedium
fixed
Enable Use of Strict Mode Checkingmedium
fixed
Enable SSH Warning Bannermedium
fixed
Enable SSH Print Last Logmedium
fixed
Force frequent session key renegotiationmedium
fixed
Set SSH Daemon LogLevel to VERBOSEmedium
fixed
Enable Use of Privilege Separationmedium
fixed
Prevent remote hosts from connecting to the proxy displaymedium
fixed
Install OpenSSH client softwaremedium
pass
Install the OpenSSH Server Packagemedium
pass
Enable the OpenSSH Servicemedium
pass
Verify Group Who Owns SSH Server config filemedium
pass
Verify Owner on SSH Server config filemedium
pass
Verify Permissions on SSH Server config filemedium
pass
Verify Permissions on SSH Server Private *_key Key Filesmedium
pass
Verify Permissions on SSH Server Public *.pub Key Filesmedium
pass
System Security Services Daemon 1x fail 1x notchecked
Certificate status checking in SSSDmedium
fixed
Enable Certmap in SSSDmedium
fail
Enable Smartcards in SSSDmedium
fixed
SSSD Has a Correct Trust Anchormedium
notchecked
Configure SSSD to Expire Offline Credentialsmedium
fixed
USBGuard daemon
Install usbguard Packagemedium
fixed
Enable the USBGuard Servicemedium
fixed
Log USBGuard daemon audit events using Linux Auditlow
notapplicable
Generate USBGuard Policymedium
fixed
X Window System
Disable X Windows
Disable graphical user interfacemedium
pass
Disable X Windows Startup By Setting Default Targetmedium
pass
System Accounting with auditd 1x notchecked
Configure auditd Rules for Comprehensive Auditing
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmodmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - chownmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - fchmodmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - fchmodatmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - fchownmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - fchownatmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - fsetxattrmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - lchownmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - lsetxattrmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - setxattrmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - umountmedium
fixed
Record Events that Modify the System's Discretionary Access Controls - umount2medium
fixed
Record Execution Attempts to Run ACL Privileged Commands
Record Any Attempts to Run chaclmedium
fixed
Record Any Attempts to Run setfaclmedium
fixed
Record Execution Attempts to Run SELinux Privileged Commands
Record Any Attempts to Run chconmedium
fixed
Record Any Attempts to Run semanagemedium
fixed
Record Any Attempts to Run setfilesmedium
fixed
Record Any Attempts to Run setseboolmedium
fixed
Record File Deletion Events by User
Ensure auditd Collects File Deletion Events by User - renamemedium
fixed
Ensure auditd Collects File Deletion Events by User - renameatmedium
fixed
Ensure auditd Collects File Deletion Events by User - rmdirmedium
fixed
Ensure auditd Collects File Deletion Events by User - unlinkatmedium
fixed
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Record Unsuccessful Access Attempts to Files - creatmedium
fixed
Record Unsuccessful Access Attempts to Files - ftruncatemedium
fixed
Record Unsuccessful Access Attempts to Files - openmedium
fixed
Record Unsuccessful Access Attempts to Files - open_by_handle_atmedium
fixed
Record Unsuccessful Access Attempts to Files - openatmedium
fixed
Record Unsuccessful Access Attempts to Files - truncatemedium
fixed
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulemedium
fixed
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulemedium
fixed
Ensure auditd Collects Information on Kernel Module Loading - init_modulemedium
fixed
Record Information on the Use of Privileged Commands
Ensure auditd Collects Information on the Use of Privileged Commands - initmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - poweroffmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - rebootmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - shutdownmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - chagemedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - chshmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - crontabmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - kmodmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - mountmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - passwdmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - postdropmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuemedium
fixed
Record Any Attempts to Run ssh-agentmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - sumedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - sudomedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - umountmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdmedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - unix_updatemedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - userhelpermedium
fixed
Ensure auditd Collects Information on the Use of Privileged Commands - usermodmedium
fixed
Make the auditd Configuration Immutablemedium
fixed
Ensure auditd Collects System Administrator Actions - /etc/sudoersmedium
fixed
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/medium
fixed
Record Events When Privileged Executables Are Runmedium
fixed
Shutdown System When Auditing Failures Occurmedium
fixed
Record Events that Modify User/Group Information - /etc/groupmedium
fixed
Record Events that Modify User/Group Information - /etc/gshadowmedium
fixed
Record Events that Modify User/Group Information - /etc/security/opasswdmedium
fixed
Record Events that Modify User/Group Information - /etc/passwdmedium
fixed
Record Events that Modify User/Group Information - /etc/shadowmedium
fixed
System Audit Directories Must Be Group Owned By Rootmedium
pass
System Audit Directories Must Be Owned By Rootmedium
pass
System Audit Logs Must Have Mode 0640 or Less Permissivemedium
pass
Configure auditd Data Retention 1x notchecked
Configure a Sufficiently Large Partition for Audit Logsmedium
notchecked
Configure auditd to use audispd's syslog pluginmedium
fixed
Configure auditd Disk Error Action on Disk Errormedium
fixed
Configure auditd Disk Full Action when Disk Space Is Fullmedium
fixed
Configure auditd mail_acct Action on Low Disk Spacemedium
pass
Configure auditd admin_space_left Action on Low Disk Spacemedium
fixed
Configure auditd admin_space_left on Low Disk Spacemedium
fixed
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
pass
Configure auditd space_left Action on Low Disk Spacemedium
fixed
Configure auditd space_left on Low Disk Spacemedium
fixed
Set number of records to cause an explicit flush to audit logsmedium
pass
Include Local Events in Audit Logsmedium
pass
Resolve information before writing to audit logslow
pass
Set type of computer node name logging in audit logsmedium
fixed
Appropriate Action Must be Setup When the Internal Audit Event Queue is Fullmedium
pass
Write Audit Logs to the Diskmedium
pass
Install audispd-plugins Packagemedium
fixed
Ensure the audit Subsystem is Installedmedium
pass
Enable auditd Servicemedium
pass
Enable Auditing for Processes Which Start Prior to the Audit Daemonlow
fixed
Extend Audit Backlog Limit for the Audit Daemonlow
fixed

Result Details

Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed medium

Install AIDE

Rule IDxccdf_org.ssgproject.content_rule_package_aide_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_aide_installed:def:1
Time2024-08-21T12:34:26+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9
cjis5.10.1.3
cobit5APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06
disaCCI-002696, CCI-002699, CCI-001744
isa-62443-20094.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6
ism1034, 1288, 1341, 1417
iso27001-2013A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3
nistCM-6(a)
nist-csfDE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3
pcidssReq-11.5
os-srgSRG-OS-000445-GPOS-00199
anssiR76, R79
cis1.3.1
pcidss411.5.2
stigrefSV-258134r926389_rule
Description
The aide package can be installed with the following command:
$ sudo dnf install aide
Rationale
The AIDE package must be installed if it is to be available for integrity checking.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedaidex86_64(none)100.el90.160:0.16-100.el90aide-0:0.16-100.el9.x86_64
Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database medium

Build and Test AIDE Database

Rule IDxccdf_org.ssgproject.content_rule_aide_build_database
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_build_database:def:1
Time2024-08-21T12:36:31+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9
cjis5.10.1.3
cobit5APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06
isa-62443-20094.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6
iso27001-2013A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3
nistCM-6(a)
nist-csfDE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3
pcidssReq-11.5
os-srgSRG-OS-000445-GPOS-00199
anssiR76, R79
cis1.3.1
pcidss411.5.2
stigrefSV-258134r926389_rule
Description
Run the following command to generate a new database:
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
Rationale
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Start timestamp: 2024-08-21 12:36:07 +0000 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	160022

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : pVl60qJf7Bmu6lExTv/Xcg==
  SHA1     : pE68xSdK+ZwLgV0QJ/6LWGbKN70=
  RMD160   : mgNpjKsuS7jmw6LfuK8jmi7Oglw=
  TIGER    : zTv3GwtWXxIKdH9ofPbMomqLB6NfC0Oh
  SHA256   : XKgER9jPpG75RC+qqOFfCfQQm2BPpLM3
             N+DC6aEf/90=
  SHA512   : oqAY/RnH4oLJ6fw6XHjdqgVHJ8RpUqER
             ltY9mbYH3G87MutnzeLU3jer4eFjXvzk
             td6y+1arSJzi+TLJnrq2Nw==


End timestamp: 2024-08-21 12:36:31 +0000 (run time: 0m 24s)
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedaidex86_64(none)100.el90.160:0.16-100.el90aide-0:0.16-100.el9.x86_64

Testing existence of operational aide database file  oval:ssg-test_aide_operational_database_absolute_path:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_operational_database_absolute_path:obj:1 of type file_object
Filepath
/var/lib/aide/aide.db.gz
Configure AIDE to Verify the Audit Toolsxccdf_org.ssgproject.content_rule_aide_check_audit_tools medium

Configure AIDE to Verify the Audit Tools

Rule IDxccdf_org.ssgproject.content_rule_aide_check_audit_tools
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_check_audit_tools:def:1
Time2024-08-21T12:36:31+00:00
Severitymedium
References:
disaCCI-001496
nistAU-9(3), AU-9(3).1
os-srgSRG-OS-000278-GPOS-00108
cis1.3.3
stigrefSV-258137r943021_rule
Description
The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedaidex86_64(none)100.el90.160:0.16-100.el90aide-0:0.16-100.el9.x86_64

auditctl is checked in /etc/aide.conf  oval:ssg-test_aide_verify_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aide.conf^\/usr\/sbin\/auditctl\s+([^\n]+)$1

auditd is checked in /etc/aide.conf  oval:ssg-test_aide_verify_auditd:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_auditd:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aide.conf^/usr/sbin/auditd\s+([^\n]+)$1

ausearch is checked in /etc/aide.conf  oval:ssg-test_aide_verify_ausearch:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_ausearch:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aide.conf^/usr/sbin/ausearch\s+([^\n]+)$1

aureport is checked in /etc/aide.conf  oval:ssg-test_aide_verify_aureport:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_aureport:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aide.conf^/usr/sbin/aureport\s+([^\n]+)$1

autrace is checked in /etc/aide.conf  oval:ssg-test_aide_verify_autrace:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_autrace:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aide.conf^/usr/sbin/autrace\s+([^\n]+)$1

rsyslogd is checked in /etc/aide.conf  oval:ssg-test_aide_verify_rsyslogd:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_rsyslogd:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aide.conf^/usr/sbin/rsyslogd\s+([^\n]+)$1

augenrules is checked in /etc/aide.conf  oval:ssg-test_aide_verify_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aide.conf^/usr/sbin/augenrules\s+([^\n]+)$1
Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking medium

Configure Periodic Execution of AIDE

Rule IDxccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_periodic_cron_checking:def:1
Time2024-08-21T12:36:31+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9
cjis5.10.1.3
cobit5APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06
disaCCI-001744, CCI-002699, CCI-002702
isa-62443-20094.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6
iso27001-2013A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3
nistSI-7, SI-7(1), CM-6(a)
nist-csfDE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3
pcidssReq-11.5
os-srgSRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201
anssiR76
cis1.3.2
pcidss411.5.2
stigrefSV-258135r926392_rule
Description
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
Rationale
By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedaidex86_64(none)100.el90.160:0.16-100.el90aide-0:0.16-100.el9.x86_64

run aide with cron  oval:ssg-test_aide_periodic_cron_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_periodic_cron_checking:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/crontab^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$1

run aide with cron  oval:ssg-test_aide_crond_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/cron.d^.*$^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$1

run aide with cron  oval:ssg-test_aide_var_cron_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/var/spool/cron/root^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$1

run aide with cron.(daily|weekly)  oval:ssg-test_aide_crontabs_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
^/etc/cron.(daily|weekly)$^.*$^[^#]*\/usr\/sbin\/aide\s+\-\-check\s*$1
Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification medium

Configure Notification of Post-AIDE Scan Details

Rule IDxccdf_org.ssgproject.content_rule_aide_scan_notification
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_scan_notification:def:1
Time2024-08-21T12:36:31+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9
cobit5BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07
disaCCI-001744, CCI-002699, CCI-002702
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 6.2, SR 7.6
iso27001-2013A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1
nistCM-6(a), CM-3(5)
nist-csfDE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3
os-srgSRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201
anssiR76
stigrefSV-258135r926392_rule
Description
AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line:
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.
Rationale
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedaidex86_64(none)100.el90.160:0.16-100.el90aide-0:0.16-100.el9.x86_64

notify personnel when aide completes  oval:ssg-test_aide_scan_notification:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_scan_notification:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/crontab^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$1

notify personnel when aide completes  oval:ssg-test_aide_var_cron_notification:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_notification:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/var/spool/cron/root^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$1

notify personnel when aide completes in cron.(daily|weekly|monthly)  oval:ssg-test_aide_crontabs_notification:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_notification:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
^/etc/cron.(d|daily|weekly|monthly)$^.*$^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$1
Configure AIDE to Use FIPS 140-2 for Validating Hashesxccdf_org.ssgproject.content_rule_aide_use_fips_hashes medium

Configure AIDE to Use FIPS 140-2 for Validating Hashes

Rule IDxccdf_org.ssgproject.content_rule_aide_use_fips_hashes
Result
error
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_use_fips_hashes:def:1
Time2024-08-21T12:36:32+00:00
Severitymedium
References:
cis-csc2, 3
cobit5APO01.06, BAI03.05, BAI06.01, DSS06.02
cui3.13.11
disaCCI-000366
isa-62443-20094.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8
iso27001-2013A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4
nistSI-7, SI-7(1), CM-6(a)
nist-csfPR.DS-6, PR.DS-8
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258136r926395_rule
Description
By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf:
NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.
Rationale
File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
Warnings
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Failed to verify applied fix: Checking engine returns: fail

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    dnf install -y "aide"
fi

aide_conf="/etc/aide.conf"
forbidden_hashes=(sha1 rmd160 sha256 whirlpool tiger haval gost crc32)

groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | cut -f1 -d ' ' | tr -d ' ' | sort -u)

for group in $groups
do
	config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')

	if ! [[ $config = *sha512* ]]
	then
		config=$config"+sha512"
	fi

	for hash in "${forbidden_hashes[@]}"
	do
		config=$(echo $config | sed "s/$hash//")
	done

	config=$(echo $config | sed "s/^\+*//")
	config=$(echo $config | sed "s/\+\++/+/")
	config=$(echo $config | sed "s/\+$//")

	sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/os-releaseID="rocky"

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/os-releaseVERSION_ID="9.4"

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedaidex86_64(none)100.el90.160:0.16-100.el90aide-0:0.16-100.el9.x86_64

Verify non-FIPS hashes are not configured in /etc/aide.conf  oval:ssg-test_aide_non_fips_hashes:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/aide.confALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

Verify FIPS hashes are configured in /etc/aide.conf  oval:ssg-test_aide_use_fips_hashes:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/aide.confALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
false/etc/aide.confEVERYTHING = R+ALLXTRAHASHES
true/etc/aide.confNORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
false/etc/aide.confDIR = p+i+n+u+g+acl+selinux+xattrs
false/etc/aide.confPERMS = p+u+g+acl+selinux+xattrs
false/etc/aide.confLOG = p+u+g+n+S+acl+selinux+xattrs
true/etc/aide.confCONTENT = sha512+ftype
true/etc/aide.confCONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
true/etc/aide.confDATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls low

Configure AIDE to Verify Access Control Lists (ACLs)

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_acls
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_verify_acls:def:1
Time2024-08-21T12:36:32+00:00
Severitylow
References:
cis-csc2, 3
cobit5APO01.06, BAI03.05, BAI06.01, DSS06.02
disaCCI-000366
isa-62443-20094.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8
iso27001-2013A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4
nistSI-7, SI-7(1), CM-6(a)
nist-csfPR.DS-6, PR.DS-8
os-srgSRG-OS-000480-GPOS-00227
anssiR76
stigrefSV-258138r926401_rule
Description
By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf
Rationale
ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedaidex86_64(none)100.el90.160:0.16-100.el90aide-0:0.16-100.el9.x86_64

acl is set in /etc/aide.conf  oval:ssg-test_aide_verify_acls:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/aide.confNORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
false/etc/aide.confEVERYTHING = R+ALLXTRAHASHES
true/etc/aide.confPERMS = p+u+g+acl+selinux+xattrs
true/etc/aide.confLOG = p+u+g+n+S+acl+selinux+xattrs
true/etc/aide.confDIR = p+i+n+u+g+acl+selinux+xattrs
false/etc/aide.confCONTENT = sha512+ftype
true/etc/aide.confCONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
true/etc/aide.confDATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes low

Configure AIDE to Verify Extended Attributes

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_verify_ext_attributes:def:1
Time2024-08-21T12:36:32+00:00
Severitylow
References:
cis-csc2, 3
cobit5APO01.06, BAI03.05, BAI06.01, DSS06.02
disaCCI-000366
isa-62443-20094.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8
iso27001-2013A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4
nistSI-7, SI-7(1), CM-6(a)
nist-csfPR.DS-6, PR.DS-8
os-srgSRG-OS-000480-GPOS-00227
anssiR76
stigrefSV-258139r926404_rule
Description
By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf
Rationale
Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedaidex86_64(none)100.el90.160:0.16-100.el90aide-0:0.16-100.el9.x86_64

xattrs is set in /etc/aide.conf  oval:ssg-test_aide_verify_ext_attributes:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/aide.confNORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
false/etc/aide.confEVERYTHING = R+ALLXTRAHASHES
true/etc/aide.confPERMS = p+u+g+acl+selinux+xattrs
true/etc/aide.confLOG = p+u+g+n+S+acl+selinux+xattrs
true/etc/aide.confDIR = p+i+n+u+g+acl+selinux+xattrs
false/etc/aide.confCONTENT = sha512+ftype
true/etc/aide.confCONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
true/etc/aide.confDATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
Audit Tools Must Be Group-owned by Rootxccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership medium

Audit Tools Must Be Group-owned by Root

Rule IDxccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_audit_tools_group_ownership:def:1
Time2024-08-21T12:34:26+00:00
Severitymedium
References:
disaCCI-001493, CCI-001494, CCI-001495
nistAU-9
os-srgSRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
stigrefSV-257925r925762_rule
Description
Red Hat Enterprise Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct group owner.
Rationale
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
OVAL test results details

Testing group ownership of /sbin/auditctl  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_0:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditctloval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_0:ste:1

Testing group ownership of /sbin/aureport  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_1:obj:1 of type file_object
FilepathFilterFilter
/sbin/aureportoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_1:ste:1

Testing group ownership of /sbin/ausearch  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_2:obj:1 of type file_object
FilepathFilterFilter
/sbin/ausearchoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_2:ste:1

Testing group ownership of /sbin/autrace  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_3:obj:1 of type file_object
FilepathFilterFilter
/sbin/autraceoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_3:ste:1

Testing group ownership of /sbin/auditd  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_4:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_4:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditdoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_4:ste:1

Testing group ownership of /sbin/rsyslogd  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_5:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_5:obj:1 of type file_object
FilepathFilterFilter
/sbin/rsyslogdoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_5:ste:1

Testing group ownership of /sbin/augenrules  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_6:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_6:obj:1 of type file_object
FilepathFilterFilter
/sbin/augenrulesoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_6:ste:1
Audit Tools Must Be Owned by Rootxccdf_org.ssgproject.content_rule_file_audit_tools_ownership medium

Audit Tools Must Be Owned by Root

Rule IDxccdf_org.ssgproject.content_rule_file_audit_tools_ownership
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_audit_tools_ownership:def:1
Time2024-08-21T12:34:26+00:00
Severitymedium
References:
disaCCI-001493, CCI-001494, CCI-001495
nistAU-9
os-srgSRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
stigrefSV-257924r925759_rule
Description
Red Hat Enterprise Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct owner.
Rationale
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
OVAL test results details

Testing user ownership of /sbin/auditctl  oval:ssg-test_file_ownerfile_audit_tools_ownership_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_0:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditctloval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_0:ste:1

Testing user ownership of /sbin/aureport  oval:ssg-test_file_ownerfile_audit_tools_ownership_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_1:obj:1 of type file_object
FilepathFilterFilter
/sbin/aureportoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_1:ste:1

Testing user ownership of /sbin/ausearch  oval:ssg-test_file_ownerfile_audit_tools_ownership_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_2:obj:1 of type file_object
FilepathFilterFilter
/sbin/ausearchoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_2:ste:1

Testing user ownership of /sbin/autrace  oval:ssg-test_file_ownerfile_audit_tools_ownership_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_3:obj:1 of type file_object
FilepathFilterFilter
/sbin/autraceoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_3:ste:1

Testing user ownership of /sbin/auditd  oval:ssg-test_file_ownerfile_audit_tools_ownership_4:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_4:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditdoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_4:ste:1

Testing user ownership of /sbin/rsyslogd  oval:ssg-test_file_ownerfile_audit_tools_ownership_5:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_5:obj:1 of type file_object
FilepathFilterFilter
/sbin/rsyslogdoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_5:ste:1

Testing user ownership of /sbin/augenrules  oval:ssg-test_file_ownerfile_audit_tools_ownership_6:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_6:obj:1 of type file_object
FilepathFilterFilter
/sbin/augenrulesoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_6:ste:1
Audit Tools Must Have a Mode of 0755 or Less Permissivexccdf_org.ssgproject.content_rule_file_audit_tools_permissions medium

Audit Tools Must Have a Mode of 0755 or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_audit_tools_permissions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_audit_tools_permissions:def:1
Time2024-08-21T12:34:26+00:00
Severitymedium
References:
disaCCI-001493
nistAU-9
os-srgSRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
stigrefSV-257887r925648_rule
Description
Red Hat Enterprise Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have a mode of 0755 or less permissive.
Rationale
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
OVAL test results details

Testing mode of /sbin/auditctl  oval:ssg-test_file_permissionsfile_audit_tools_permissions_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_0:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditctloval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_0_mode_0755or_stricter_:ste:1

Testing mode of /sbin/aureport  oval:ssg-test_file_permissionsfile_audit_tools_permissions_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_1:obj:1 of type file_object
FilepathFilterFilter
/sbin/aureportoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_1_mode_0755or_stricter_:ste:1

Testing mode of /sbin/ausearch  oval:ssg-test_file_permissionsfile_audit_tools_permissions_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_2:obj:1 of type file_object
FilepathFilterFilter
/sbin/ausearchoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_2_mode_0755or_stricter_:ste:1

Testing mode of /sbin/autrace  oval:ssg-test_file_permissionsfile_audit_tools_permissions_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_3:obj:1 of type file_object
FilepathFilterFilter
/sbin/autraceoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_3_mode_0755or_stricter_:ste:1

Testing mode of /sbin/auditd  oval:ssg-test_file_permissionsfile_audit_tools_permissions_4:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_4:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditdoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_4_mode_0755or_stricter_:ste:1

Testing mode of /sbin/rsyslogd  oval:ssg-test_file_permissionsfile_audit_tools_permissions_5:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_5:obj:1 of type file_object
FilepathFilterFilter
/sbin/rsyslogdoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_5_mode_0755or_stricter_:ste:1

Testing mode of /sbin/augenrules  oval:ssg-test_file_permissionsfile_audit_tools_permissions_6:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_6:obj:1 of type file_object
FilepathFilterFilter
/sbin/augenrulesoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_6_mode_0755or_stricter_:ste:1
Enable Dracut FIPS Modulexccdf_org.ssgproject.content_rule_enable_dracut_fips_module high

Enable Dracut FIPS Module

Rule IDxccdf_org.ssgproject.content_rule_enable_dracut_fips_module
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-enable_dracut_fips_module:def:1
Time2024-08-21T12:38:03+00:00
Severityhigh
References:
disaCCI-000068, CCI-000803, CCI-002450
ism1446
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
nistSC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12
osppFCS_RBG_EXT.1
os-srgSRG-OS-000478-GPOS-00223
stigrefSV-258230r926677_rule
Description
To enable FIPS mode, run the following command:
fips-mode-setup --enable
To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Kernel initramdisks are being regenerated. This might take some time.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.
add_dracutmodules+=" fips "
OVAL test results details

add_dracutmodules contains fips  oval:ssg-test_enable_dracut_fips_module:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_enable_dracut_fips_module:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/dracut.conf.d/40-fips.conf^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$1
Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode high

Enable FIPS Mode

Rule IDxccdf_org.ssgproject.content_rule_enable_fips_mode
Result
error
Multi-check ruleno
OVAL Definition IDoval:ssg-enable_fips_mode:def:1
Time2024-08-21T12:38:05+00:00
Severityhigh
References:
disaCCI-000068, CCI-000803, CCI-002450
ism1446
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
nistCM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12
osppFCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1
os-srgSRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176
stigrefSV-258230r926677_rule
Description
To enable FIPS mode, run the following command:
fips-mode-setup --enable

The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following:
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • Creating /etc/system-fips
  • Setting the system crypto policy in /etc/crypto-policies/config to FIPS
  • Loading the Dracut fips module
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  This rule DOES NOT CHECK if the components of the operating system are FIPS certified. You can find the list of FIPS certified modules at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search. This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Preserving current FIPS-based policy FIPS.
Please review the subpolicies to ensure they only restrict, not relax the FIPS policy.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.
info 
Failed to verify applied fix: Checking engine returns: fail

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_system_crypto_policy='FIPS'


fips-mode-setup --enable

stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
rc=$?

if test "$rc" = 127; then
	echo "$stderr_of_call" >&2
	echo "Make sure that the script is installed on the remediated system." >&2
	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
	echo "to see what package to (re)install" >&2

	false  # end with an error code
elif test "$rc" != 0; then
	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
	false  # end with an error code
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Complexity:medium
Disruption:medium
Reboot:true
Strategy:restrict
- name: XCCDF Value var_system_crypto_policy # promote to variable
  set_fact:
    var_system_crypto_policy: !!str FIPS
  tags:
    - always

- name: Enable FIPS Mode - Check to See the Current Status of FIPS Mode
  ansible.builtin.command: /usr/bin/fips-mode-setup --check
  register: is_fips_enabled
  failed_when: false
  changed_when: false
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and not ( lookup("env", "container") == "bwrap-osbuild" ) )
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-09-671010
  - NIST-800-53-CM-3(6)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-7
  - NIST-800-53-SC-12
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - enable_fips_mode
  - high_severity
  - medium_complexity
  - medium_disruption
  - reboot_required
  - restrict_strategy

- name: Enable FIPS Mode - Enable FIPS Mode
  ansible.builtin.command: /usr/bin/fips-mode-setup --enable
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and not ( lookup("env", "container") == "bwrap-osbuild" ) )
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - is_fips_enabled.stdout.find('FIPS mode is enabled.') == -1
  tags:
  - DISA-STIG-RHEL-09-671010
  - NIST-800-53-CM-3(6)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-7
  - NIST-800-53-SC-12
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - enable_fips_mode
  - high_severity
  - medium_complexity
  - medium_disruption
  - reboot_required
  - restrict_strategy

- name: Enable FIPS Mode - Configure Crypto Policy
  ansible.builtin.lineinfile:
    path: /etc/crypto-policies/config
    regexp: ^(?!#)(\S+)$
    line: '{{ var_system_crypto_policy }}'
    create: true
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and not ( lookup("env", "container") == "bwrap-osbuild" ) )
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-09-671010
  - NIST-800-53-CM-3(6)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-7
  - NIST-800-53-SC-12
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - enable_fips_mode
  - high_severity
  - medium_complexity
  - medium_disruption
  - reboot_required
  - restrict_strategy

- name: Enable FIPS Mode - Verify that Crypto Policy is Set (runtime)
  ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy
    }}
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and not ( lookup("env", "container") == "bwrap-osbuild" ) )
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-09-671010
  - NIST-800-53-CM-3(6)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-7
  - NIST-800-53-SC-12
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - enable_fips_mode
  - high_severity
  - medium_complexity
  - medium_disruption
  - reboot_required
  - restrict_strategy


[customizations]
fips = true
OVAL test results details

/etc/system-fips exists  oval:ssg-test_etc_system_fips:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_system_fips:obj:1 of type file_object
Filepath
/etc/system-fips

kernel runtime parameter crypto.fips_enabled set to 1  oval:ssg-test_sysctl_crypto_fips_enabled:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsecrypto.fips_enabled0

add_dracutmodules contains fips  oval:ssg-test_enable_dracut_fips_module:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_enable_dracut_fips_module:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/dracut.conf.d/40-fips.conf^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$1

check for crypto policy correctly configured in /etc/crypto-policies/config  oval:ssg-test_configure_crypto_policy:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/crypto-policies/configDEFAULT

check for crypto policy correctly configured in /etc/crypto-policies/state/current  oval:ssg-test_configure_crypto_policy_current:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/crypto-policies/state/currentDEFAULT

Check if update-crypto-policies has been run  oval:ssg-test_crypto_policies_updated:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-variable_crypto_policies_config_file_timestamp:var:11699890899

Check if /etc/crypto-policies/back-ends/nss.config exists  oval:ssg-test_crypto_policy_nss_config:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
not evaluated/etc/crypto-policies/back-ends/nss.configregular00447rw-r--r-- 

test if var_system_crypto_policy selection is set to FIPS  oval:ssg-test_system_crypto_policy_value:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-var_system_crypto_policy:var:1FIPS

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf  oval:ssg-test_fips_1_argument_in_boot_loader_entries_conf:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-5.14.0-362.8.1.el9_3.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-5.14.0-427.28.1.el9_4.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-0-rescue.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-0-rescue.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf  oval:ssg-test_fips_1_argument_in_boot_loader_entries_conf:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-5.14.0-362.8.1.el9_3.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-5.14.0-427.28.1.el9_4.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-0-rescue.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-0-rescue.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
Set kernel parameter 'crypto.fips_enabled' to 1xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled high

Set kernel parameter 'crypto.fips_enabled' to 1

Rule IDxccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_crypto_fips_enabled:def:1
Time2024-08-21T12:38:05+00:00
Severityhigh
References:
disaCCI-000068, CCI-000803, CCI-000877, CCI-001453, CCI-002418, CCI-002450, CCI-002890, CCI-003123
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
nistSC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12
os-srgSRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223
stigrefSV-258230r926677_rule
Description
System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. To enable FIPS mode, run the following command:
fips-mode-setup --enable
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

kernel runtime parameter crypto.fips_enabled set to 1  oval:ssg-test_sysctl_crypto_fips_enabled:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsecrypto.fips_enabled0
Install crypto-policies packagexccdf_org.ssgproject.content_rule_package_crypto-policies_installed medium

Install crypto-policies package

Rule IDxccdf_org.ssgproject.content_rule_package_crypto-policies_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_crypto-policies_installed:def:1
Time2024-08-21T12:34:26+00:00
Severitymedium
References:
osppFCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1
os-srgSRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
stigrefSV-258234r926689_rule
Description
The crypto-policies package can be installed with the following command:
$ sudo dnf install crypto-policies
Rationale
Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
OVAL test results details

package crypto-policies is installed  oval:ssg-test_package_crypto-policies_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedcrypto-policiesnoarch(none)1.git283706d.el9202402020:20240202-1.git283706d.el90crypto-policies-0:20240202-1.git283706d.el9.noarch
Configure BIND to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy high

Configure BIND to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:26+00:00
Severityhigh
References:
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
nistSC-13, SC-12(2), SC-12(3)
os-srgSRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
stigrefSV-258242r926713_rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf includes the appropriate configuration: In the options section of /etc/named.conf, make sure that the following line is not commented out or superseded by later includes: include "/etc/crypto-policies/back-ends/bind.config";
Rationale
Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented.
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy high

Configure System Cryptography Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_crypto_policy
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_crypto_policy:def:1
Time2024-08-21T12:38:05+00:00
Severityhigh
References:
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii)
ism1446
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
nistAC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3)
osppFCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1
os-srgSRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
cis1.10
pcidss42.2.7
stigrefSV-258230r926677_rule, SV-258238r926701_rule, SV-258241r926710_rule
Description
To configure the system cryptography policy to use ciphers only from the FIPS policy, run the following command:
$ sudo update-crypto-policies --set FIPS
                  
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
Rationale
Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check for crypto policy correctly configured in /etc/crypto-policies/config  oval:ssg-test_configure_crypto_policy:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/crypto-policies/configDEFAULT

check for crypto policy correctly configured in /etc/crypto-policies/state/current  oval:ssg-test_configure_crypto_policy_current:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/crypto-policies/state/currentDEFAULT

Check if update-crypto-policies has been run  oval:ssg-test_crypto_policies_updated:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-variable_crypto_policies_config_file_timestamp:var:11699890899

Check if /etc/crypto-policies/back-ends/nss.config exists  oval:ssg-test_crypto_policy_nss_config:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
not evaluated/etc/crypto-policies/back-ends/nss.configregular00447rw-r--r-- 
Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy high

Configure Kerberos to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_kerberos_crypto_policy:def:1
Time2024-08-21T12:34:26+00:00
Severityhigh
References:
ism0418, 1055, 1402
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
nistSC-13, SC-12(2), SC-12(3)
os-srgSRG-OS-000120-GPOS-00061
stigrefSV-258237r926698_rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.
Rationale
Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.
OVAL test results details

Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file  oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1/usr/share/crypto-policies/DEFAULT/krb5.txt

Check if kerberos configuration symlink links to the crypto-policy backend file  oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1/usr/share/crypto-policies/DEFAULT/krb5.txt
Configure Libreswan to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy high

Configure Libreswan to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_libreswan_crypto_policy:def:1
Time2024-08-21T12:34:26+00:00
Severityhigh
References:
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
nistCM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3)
osppFCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6
pcidssReq-2.2
os-srgSRG-OS-000033-GPOS-00014
stigrefSV-258232r926683_rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config
Rationale
Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.
OVAL test results details

package libreswan is installed  oval:ssg-test_package_libreswan_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type rpminfo_object
Name
libreswan

Check that the libreswan configuration includes the crypto policy config file  oval:ssg-test_configure_libreswan_crypto_policy:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_libreswan_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ipsec.conf^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$1
Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy medium

Configure OpenSSL library to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_openssl_crypto_policy:def:1
Time2024-08-21T12:34:26+00:00
Severitymedium
References:
disaCCI-001453
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
nistAC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3)
pcidssReq-2.2
os-srgSRG-OS-000250-GPOS-00093
stigrefSV-258239r926704_rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive.
Rationale
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.
OVAL test results details

Check that the configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_openssl_crypto_policy:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pki/tls/openssl.cnf [ crypto_policy ] .include = /etc/crypto-policies/back-ends/opensslcnf.config
Configure OpenSSL library to use TLS Encryptionxccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy medium

Configure OpenSSL library to use TLS Encryption

Rule IDxccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_openssl_tls_crypto_policy:def:1
Time2024-08-21T12:34:26+00:00
Severitymedium
References:
disaCCI-001453
nistAC-17(2)
os-srgSRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
stigrefSV-258240r926707_rule
Description
Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. Editing the Crypto Policy back-end is not recommended. Check the crypto-policies(7) man page and choose a policy that configures TLS protocol to version 1.2 or higher, for example DEFAULT, FUTURE or FIPS policy. Or create and apply a custom policy that restricts minimum TLS version to 1.2. For example for versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch this is expected:
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

MinProtocol = TLSv1.2
Or for version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer this is expected:
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

TLS.MinProtocol = TLSv1.2
DTLS.MinProtocol = DTLSv1.2
Rationale
Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings
warning  This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive. Ensure the variable xccdf_org.ssgproject.content_value_var_system_crypto_policy is set to a Crypto Policy that satisfies OpenSSL minimum TLS protocol version 1.2. Custom policies may be applied too.
OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_openssl_tls_crypto_policy:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/crypto-policies/back-ends/opensslcnf.configTLS.MinProtocol = TLSv1.2

Installed version of crypto-policies is older than 20210617-1  oval:ssg-test_installed_version_of_crypto_policies:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
falsecrypto-policiesnoarch(none)1.git283706d.el9202402020:20240202-1.git283706d.el90crypto-policies-0:20240202-1.git283706d.el9.noarch

Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_openssl_dtls_crypto_policy:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/crypto-policies/back-ends/opensslcnf.configDTLS.MinProtocol = DTLSv1.2
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy medium

Configure SSH to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_ssh_crypto_policy:def:1
Time2024-08-21T12:34:26+00:00
Severitymedium
References:
disaCCI-001453
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii)
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
nistAC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13
osppFCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1
pcidssReq-2.2
os-srgSRG-OS-000250-GPOS-00093
cis5.2.14
pcidss42.2.7
stigrefSV-257987r952185_rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd.
Rationale
Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.
OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_ssh_crypto_policy:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysconfig/sshd^\s*(?i)CRYPTO_POLICY\s*=.*$1
Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.configxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy high

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

Rule IDxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy:def:1
Time2024-08-21T12:34:26+00:00
Severityhigh
References:
disaCCI-000068, CCI-000877, CCI-001453, CCI-002418, CCI-002890, CCI-003123
nistAC-17(2)
os-srgSRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187
stigrefSV-257988r925951_rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out:
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
                  
Rationale
Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

test the value of Ciphers setting in the /etc/crypto-policies/back-ends/openssh.config file  oval:ssg-test_harden_sshd_ciphers_openssh_conf_crypto_policy:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/crypto-policies/back-ends/openssh.configCiphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.configxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy medium

Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

Rule IDxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy:def:1
Time2024-08-21T12:38:05+00:00
Severitymedium
References:
disaCCI-000877, CCI-001453
nistAC-17(2)
os-srgSRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093
stigrefSV-257989r943014_rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out:
-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
                  
Rationale
Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

test the value of Ciphers setting in the /etc/crypto-policies/back-ends/opensshserver.config file  oval:ssg-test_harden_sshd_ciphers_opensshserver_conf_crypto_policy:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_harden_sshd_ciphers_opensshserver_conf_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/crypto-policies/back-ends/opensshserver.config^(?!#).*(-oCiphers=[^\s']+).*$1
The Installed Operating System Is Vendor Supportedxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported high

The Installed Operating System Is Vendor Supported

Rule IDxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-installed_OS_is_vendor_supported:def:1
Time2024-08-21T12:38:05+00:00
Severityhigh
References:
cis-csc18, 20, 4
cobit5APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02
disaCCI-000366
isa-62443-20094.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9
iso27001-2013A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
nistCM-6(a), MA-6, SA-13(a)
nist-csfID.RA-1, PR.IP-12
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257777r925318_rule
Description
The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches.
Rationale
An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software.
Warnings
warning  There is no remediation besides switching to a different operating system.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release
Install McAfee Endpoint Security for Linux (ENSL)xccdf_org.ssgproject.content_rule_package_mcafeetp_installed medium

Install McAfee Endpoint Security for Linux (ENSL)

Rule IDxccdf_org.ssgproject.content_rule_package_mcafeetp_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_mcafeetp_installed:def:1
Time2024-08-21T12:38:05+00:00
Severitymedium
References:
disaCCI-001263, CCI-000366
nistSI-2(2)
os-srgSRG-OS-000191-GPOS-00080
stigrefSV-257780r939261_rule
Description
Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. The McAfeeTP package can be installed with the following command:
$ sudo dnf install McAfeeTP
Rationale
Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
Warnings
warning  Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, automated remediation is not available for this configuration check.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

package McAfeeTP is installed  oval:ssg-test_package_McAfeeTP_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_McAfeeTP_installed:obj:1 of type rpminfo_object
Name
McAfeeTP
Ensure McAfee Endpoint Security for Linux (ENSL) is runningxccdf_org.ssgproject.content_rule_agent_mfetpd_running medium

Ensure McAfee Endpoint Security for Linux (ENSL) is running

Rule IDxccdf_org.ssgproject.content_rule_agent_mfetpd_running
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-agent_mfetpd_running:def:1
Time2024-08-21T12:38:05+00:00
Severitymedium
References:
disaCCI-001263, CCI-000366
nistSI-2(2)
os-srgSRG-OS-000191-GPOS-00080
stigrefSV-257780r939261_rule
Description
Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.
Rationale
Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
Warnings
warning  Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, automated remediation is not available for this configuration check.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

is mfetpd running  oval:ssg-test_agent_mfetpd_running:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_agent_mfetpd_running:obj:1 of type process58_object
Command linePid
^mfetpd.*$0
Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions high

Encrypt Partitions

Rule IDxccdf_org.ssgproject.content_rule_encrypt_partitions
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:34:26+00:00
Severityhigh
References:
cis-csc13, 14
cobit5APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06
cui3.13.16
disaCCI-001199, CCI-002475, CCI-002476
hipaa164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d)
isa-62443-2013SR 3.4, SR 4.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
nistCM-6(a), SC-28, SC-28(1), SC-13, AU-9(3)
nist-csfPR.DS-1, PR.DS-5
os-srgSRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183
stigrefSV-257879r925624_rule
Description
Red Hat Enterprise Linux 9 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
                
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 9 Documentation web site:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening .
Rationale
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Evaluation messages
info 
No candidate or applicable check found.
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home low

Ensure /home Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_home
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_home:def:1
Time2024-08-21T12:38:05+00:00
Severitylow
References:
cis-csc12, 15, 8
cobit5APO13.01, DSS05.02
disaCCI-000366, CCI-001208
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.13.1.1, A.13.2.1, A.14.1.3
nistCM-6(a), SC-5(2)
nist-csfPR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR28
cis1.1.7.1
stigrefSV-257843r925516_rule
Description
If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
Rationale
Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
Evaluation messages
info 
No suitable fix found.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /home


[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
OVAL test results details

/home on own partition  oval:ssg-testhome_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mounthome_own_partition:obj:1 of type partition_object
Mount point
/home
Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp low

Ensure /tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_tmp
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_tmp:def:1
Time2024-08-21T12:38:05+00:00
Severitylow
References:
cis-csc12, 15, 8
cobit5APO13.01, DSS05.02
disaCCI-000366
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.13.1.1, A.13.2.1, A.14.1.3
nistCM-6(a), SC-5(2)
nist-csfPR.PT-4
os-srgSRG-OS-000480-GPOS-00227
cis1.1.2.1
stigrefSV-257844r925519_rule
Description
The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
Evaluation messages
info 
No suitable fix found.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /tmp


[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
OVAL test results details

/tmp on own partition  oval:ssg-testtmp_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mounttmp_own_partition:obj:1 of type partition_object
Mount point
/tmp
Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var low

Ensure /var Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var:def:1
Time2024-08-21T12:38:05+00:00
Severitylow
References:
cis-csc12, 15, 8
cobit5APO13.01, DSS05.02
disaCCI-000366
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.13.1.1, A.13.2.1, A.14.1.3
nistCM-6(a), SC-5(2)
nist-csfPR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR28
cis1.1.3.1
stigrefSV-257845r925522_rule
Description
The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.
Evaluation messages
info 
No suitable fix found.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var


[[customizations.filesystem]]
mountpoint = "/var"
size = 3221225472
OVAL test results details

/var on own partition  oval:ssg-testvar_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_own_partition:obj:1 of type partition_object
Mount point
/var
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log low

Ensure /var/log Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_log:def:1
Time2024-08-21T12:38:05+00:00
Severitylow
References:
cis-csc1, 12, 14, 15, 16, 3, 5, 6, 8
cobit5APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01
disaCCI-000366
isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3
nerc-cipCIP-007-3 R6.5
nistCM-6(a), AU-4, SC-5(2)
nist-csfPR.PT-1, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR28
cis1.1.5.1
stigrefSV-257846r925525_rule
Description
System logs are stored in the /var/log directory. Ensure that /var/log has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
Placing /var/log in its own partition enables better separation between log files and other files in /var/.
Evaluation messages
info 
No suitable fix found.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log


[[customizations.filesystem]]
mountpoint = "/var/log"
size = 5368709120
OVAL test results details

/var/log on own partition  oval:ssg-testvar_log_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_own_partition:obj:1 of type partition_object
Mount point
/var/log
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit low

Ensure /var/log/audit Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_log_audit:def:1
Time2024-08-21T12:38:05+00:00
Severitylow
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8
cobit5APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01
disaCCI-000366, CCI-001849
hipaa164.312(a)(2)(ii)
isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1
nerc-cipCIP-007-3 R6.5
nistCM-6(a), AU-4, SC-5(2)
nist-csfPR.DS-4, PR.PT-1, PR.PT-4
osppFMT_SMF_EXT.1
os-srgSRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227
app-srg-ctrSRG-APP-000357-CTR-000800
anssiR71
cis1.1.6.1
stigrefSV-257847r925528_rule
Description
Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Rationale
Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
Evaluation messages
info 
No suitable fix found.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log/audit


[[customizations.filesystem]]
mountpoint = "/var/log/audit"
size = 10737418240
OVAL test results details

/var/log/audit on own partition  oval:ssg-testvar_log_audit_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_audit_own_partition:obj:1 of type partition_object
Mount point
/var/log/audit
Ensure /var/tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_tmp medium

Ensure /var/tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_tmp
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_tmp:def:1
Time2024-08-21T12:38:05+00:00
Severitymedium
References:
os-srgSRG-OS-000480-GPOS-00227
anssiR28
cis1.1.4.1
stigrefSV-257848r925531_rule
Description
The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
Evaluation messages
info 
No suitable fix found.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/tmp


[[customizations.filesystem]]
mountpoint = "/var/tmp"
size = 1073741824
OVAL test results details

/var/tmp on own partition  oval:ssg-testvar_tmp_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_tmp_own_partition:obj:1 of type partition_object
Mount point
/var/tmp
Disable the GNOME3 Login Restart and Shutdown Buttonsxccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown high

Disable the GNOME3 Login Restart and Shutdown Buttons

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severityhigh
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.1.2
disaCCI-000366
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1), CM-7(b)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258029r943059_rule, SV-258030r926077_rule
Description
In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability the ability to shutdown or restart the system. This functionality should be disabled by setting disable-restart-buttons to true.

To disable, add or edit disable-restart-buttons to /etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-restart-buttons=true
Once the setting has been added, add a lock to /etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/disable-restart-buttons
After the settings have been set, run dconf update.
Rationale
A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.
Disable the GNOME3 Login User Listxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list medium

Disable the GNOME3 Login User List

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
nistCM-6(a), AC-23
os-srgSRG-OS-000480-GPOS-00227
cis1.8.3
stigrefSV-258033r926086_rule
Description
In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true.

To disable, add or edit disable-user-list to /etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to /etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.
Rationale
Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.
Enable the GNOME3 Screen Locking On Smartcard Removalxccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal medium

Enable the GNOME3 Screen Locking On Smartcard Removal

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000056, CCI-000058
os-srgSRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
stigrefSV-258019r926044_rule, SV-258020r926047_rule
Description
In the default graphical environment, screen locking on smartcard removal can be enabled by setting removal-action to 'lock-screen'.

To enable, add or edit removal-action to /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/settings-daemon/peripherals/smartcard/removal-action
After the settings have been set, run dconf update.
Rationale
Locking the screen automatically when removing the smartcard can prevent undesired access to system.
Disable GNOME3 Automount Openingxccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open medium

Disable GNOME3 Automount Opening

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc12, 16
cobit5APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03
cui3.1.7
disaCCI-000366, CCI-000778, CCI-001958
isa-62443-20094.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6
iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-3, PR.AC-6
os-srgSRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
cis1.8.6, 1.8.7
pcidss43.4.2
stigrefSV-258014r926029_rule, SV-258015r926032_rule
Description
The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set automount-open to false in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.
Rationale
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.
Disable GNOME3 Automount runningxccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun low

Disable GNOME3 Automount running

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitylow
References:
cis-csc12, 16
cobit5APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03
cui3.1.7
disaCCI-000366, CCI-000778, CCI-001958
isa-62443-20094.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6
iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-3, PR.AC-6
os-srgSRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
cis1.8.8, 1.8.9
stigrefSV-258016r926035_rule, SV-258017r926038_rule
Description
The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-never within GNOME3, add or set autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.
Rationale
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mount running in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.
Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay medium

Set GNOME3 Screensaver Inactivity Timeout

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cjis5.5.5
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.10
disaCCI-000057, CCI-000060
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistAC-11(a), CM-6(a)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
pcidssReq-8.1.8
os-srgSRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
cis1.8.4
pcidss48.2.8
stigrefSV-258023r926056_rule
Description
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock.
Set GNOME3 Screensaver Lock Delay After Activation Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay medium

Set GNOME3 Screensaver Lock Delay After Activation Period

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.10
disaCCI-000056, CCI-000057, CCI-000060
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistAC-11(a), CM-6(a)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
pcidssReq-8.1.8
os-srgSRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
cis1.8.4
pcidss48.2.8
stigrefSV-258025r926062_rule
Description
To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 0 in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 0
                  
After the settings have been set, run dconf update.
Rationale
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.
Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled medium

Enable GNOME3 Screensaver Lock After Idle Period

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cjis5.5.5
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.10
disaCCI-000056, CCI-000058, CCI-000060
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
pcidssReq-8.1.8
os-srgSRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
pcidss48.2.8
stigrefSV-258021r926050_rule, SV-258022r926053_rule
Description
To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
Rationale
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.
Implement Blank Screensaverxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank medium

Implement Blank Screensaver

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cjis5.5.5
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.10
disaCCI-000060
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistAC-11(1), CM-6(a), AC-11(1).1
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
pcidssReq-8.1.8
os-srgSRG-OS-000031-GPOS-00012
pcidss48.2.8
stigrefSV-258027r926068_rule
Description
To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
Rationale
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
Ensure Users Cannot Change GNOME3 Screensaver Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks medium

Ensure Users Cannot Change GNOME3 Screensaver Settings

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.10
disaCCI-000057, CCI-000060
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
os-srgSRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
cis1.8.5
stigrefSV-258026r926065_rule
Description
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
Ensure Users Cannot Change GNOME3 Session Idle Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks medium

Ensure Users Cannot Change GNOME3 Session Idle Settings

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.10
disaCCI-000057, CCI-000060
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
pcidssReq-8.1.8
os-srgSRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
cis1.8.5
pcidss48.2.8
stigrefSV-258024r926059_rule
Description
If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot high

Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severityhigh
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.1.2
disaCCI-000366
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1), CM-7(b)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258031r926080_rule, SV-258032r926083_rule
Description
By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to '' in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/media-keys]
logout=''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.
Rationale
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
Make sure that the dconf databases are up-to-date with regards to respective keyfilesxccdf_org.ssgproject.content_rule_dconf_db_up_to_date high

Make sure that the dconf databases are up-to-date with regards to respective keyfiles

Rule IDxccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severityhigh
References:
hipaa164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A)
pcidssReq-6.2
os-srgSRG-OS-000480-GPOS-00227
ccnreload_dconf_db
cisreload_dconf_db
pcidss48.2.8
stigrefSV-258028r926071_rule
Description
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the
dconf update
command. More specifically, content present in the following directories:
/etc/dconf/db/distro.d
/etc/dconf/db/local.d
Rationale
Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.
Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed medium

Install sudo Package

Rule IDxccdf_org.ssgproject.content_rule_package_sudo_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_sudo_installed:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
ism1382, 1384, 1386
nistCM-6(a)
osppFMT_MOF_EXT.1
os-srgSRG-OS-000324-GPOS-00125
anssiR33
cis5.3.1
pcidss42.2.6
stigrefSV-258083r926236_rule
Description
The sudo package can be installed with the following command:
$ sudo dnf install sudo
Rationale
sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.
OVAL test results details

package sudo is installed  oval:ssg-test_package_sudo_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedsudox86_64(none)10.el9_31.9.5p20:1.9.5p2-10.el9_30sudo-0:1.9.5p2-10.el9_3.x86_64
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate medium

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Rule IDxccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_remove_no_authenticate:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.10, DSS06.03, DSS06.10
disaCCI-002038
isa-62443-20094.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-11, CM-6(a)
nist-csfPR.AC-1, PR.AC-7
os-srgSRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
stigrefSV-258086r943065_rule
Description
The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
OVAL test results details

!authenticate does not exist in /etc/sudoers  oval:ssg-test_no_authenticate_etc_sudoers:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^(?!#).*[\s]+\!authenticate.*$1

!authenticate does not exist in /etc/sudoers.d  oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sudoers.d^.*$^(?!#).*[\s]+\!authenticate.*$1
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd medium

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

Rule IDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Result
error
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_remove_nopasswd:def:1
Time2024-08-21T12:38:05+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.10, DSS06.03, DSS06.10
disaCCI-002038
isa-62443-20094.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-11, CM-6(a)
nist-csfPR.AC-1, PR.AC-7
os-srgSRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
stigrefSV-258106r926305_rule
Description
The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
sed: -e expression #1, char 38: unknown option to `s'
sed: -e expression #1, char 40: unknown option to `s'
info 
Failed to verify applied fix: Checking engine returns: fail

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

for f in /etc/sudoers /etc/sudoers.d/* ; do
  if [ ! -e "$f" ] ; then
    continue
  fi
  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      # comment out "NOPASSWD" matches to preserve user data
      sed -i "s/^${entry}$/# &/g" $f
    done <<< "$matching_list"

    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
  fi
done

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
  ansible.builtin.find:
    paths:
    - /etc/sudoers.d/
  register: sudoers
  tags:
  - DISA-STIG-RHEL-09-611085
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_remove_nopasswd

- name: Remove lines containing NOPASSWD from sudoers files
  ansible.builtin.replace:
    regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
    replace: '# \g<1>'
    path: '{{ item.path }}'
    validate: /usr/sbin/visudo -cf %s
  with_items:
  - path: /etc/sudoers
  - '{{ sudoers.files }}'
  tags:
  - DISA-STIG-RHEL-09-611085
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_remove_nopasswd
OVAL test results details

NOPASSWD does not exist /etc/sudoers  oval:ssg-test_nopasswd_etc_sudoers:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sudoersrocky ALL=(ALL) NOPASSWD: ALL

NOPASSWD does not exist in /etc/sudoers.d  oval:ssg-test_nopasswd_etc_sudoers_d:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sudoers.d/90-cloud-init-usersdjagaazure ALL=(ALL) NOPASSWD:ALL
not evaluated/etc/sudoers.d/omsagentomsagent ALL=(ALL) NOPASSWD: /opt/microsoft/omsconfig/Scripts/OMSRsyslog.post.sh
Require Re-Authentication When Using the sudo Commandxccdf_org.ssgproject.content_rule_sudo_require_reauthentication medium

Require Re-Authentication When Using the sudo Command

Rule IDxccdf_org.ssgproject.content_rule_sudo_require_reauthentication
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_require_reauthentication:def:1
Time2024-08-21T12:38:05+00:00
Severitymedium
References:
disaCCI-002038
nistIA-11
os-srgSRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
cis5.3.5, 5.3.6
pcidss42.2.6
stigrefSV-258084r943061_rule
Description
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check correct configuration in /etc/sudoers  oval:ssg-test_sudo_timestamp_timeout:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_timestamp_timeout:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\/etc\/(sudoers|sudoers\.d\/.*)$^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[+]?(\d*\.\d+|\d+\.\d*|\d+)$1

check correct configuration in /etc/sudoers  oval:ssg-test_sudo_timestamp_timeout_no_signs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_timestamp_timeout_no_signs:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\/etc\/(sudoers|sudoers\.d\/.*)$^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[\-](\d*\.\d+|\d+\.\d*|\d+)$1
The operating system must restrict privilege elevation to authorized personnelxccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized medium

The operating system must restrict privilege elevation to authorized personnel

Rule IDxccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_restrict_privilege_elevation_to_authorized:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6(b), CM-6(iv)
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258087r926248_rule
Description
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
Rationale
If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
Warnings
warning  This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.
OVAL test results details

Make sure that sudoers has restrictions on which users can run sudo  oval:ssg-test_not_all_users_can_sudo_to_users:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_cfg_spec_all_users:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$1

Make sure that sudoers has restrictions on which users can run sudo  oval:ssg-test_not_all_users_can_sudo_to_group:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_cfg_spec_all_group:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*1
Ensure invoking users password for privilege escalation when using sudoxccdf_org.ssgproject.content_rule_sudoers_validate_passwd medium

Ensure invoking users password for privilege escalation when using sudo

Rule IDxccdf_org.ssgproject.content_rule_sudoers_validate_passwd
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sudoers_validate_passwd:def:1
Time2024-08-21T12:38:05+00:00
Severitymedium
References:
disaCCI-000366, CCI-002227
nistCM-6(b), CM-6.1(iv)
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258085r943063_rule
Description
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for:
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 
 Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw 
or if cvtsudoers not supported:
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 
Rationale
If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_targetpw_config:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_targetpw_config:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults !targetpw$\r?\n1

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_rootpw_config:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_rootpw_config:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults !rootpw$\r?\n1

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_runaspw_config:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_runaspw_config:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults !runaspw$\r?\n1

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_targetpw_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_targetpw_not_defined:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults targetpw$\r?\n1

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_rootpw_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_rootpw_not_defined:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults rootpw$\r?\n1

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_runaspw_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_runaspw_not_defined:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults runaspw$\r?\n1
Ensure gnutls-utils is installedxccdf_org.ssgproject.content_rule_package_gnutls-utils_installed medium

Ensure gnutls-utils is installed

Rule IDxccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_gnutls-utils_installed:def:1
Time2024-08-21T12:38:10+00:00
Severitymedium
References:
osppFIA_X509_EXT.1, FIA_X509_EXT.2
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257839r925504_rule
Description
The gnutls-utils package can be installed with the following command:
$ sudo dnf install gnutls-utils
Rationale
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:00 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package            Architecture Version                  Repository       Size
================================================================================
Installing:
 gnutls-utils       x86_64       3.8.3-4.el9_4            appstream       287 k
Installing dependencies:
 gnutls-dane        x86_64       3.8.3-4.el9_4            appstream        21 k
 protobuf-c         x86_64       1.3.3-13.el9             baseos           34 k
 unbound-libs       x86_64       1.16.2-3.el9_3.5         appstream       548 k

Transaction Summary
================================================================================
Install  4 Packages

Total download size: 890 k
Installed size: 2.5 M
Downloading Packages:
(1/4): gnutls-utils-3.8.3-4.el9_4.x86_64.rpm    482 kB/s | 287 kB     00:00    
(2/4): protobuf-c-1.3.3-13.el9.x86_64.rpm        55 kB/s |  34 kB     00:00    
(3/4): unbound-libs-1.16.2-3.el9_3.5.x86_64.rpm 805 kB/s | 548 kB     00:00    
(4/4): gnutls-dane-3.8.3-4.el9_4.x86_64.rpm     228 kB/s |  21 kB     00:00    
--------------------------------------------------------------------------------
Total                                           849 kB/s | 890 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : protobuf-c-1.3.3-13.el9.x86_64                         1/4 
  Running scriptlet: unbound-libs-1.16.2-3.el9_3.5.x86_64                   2/4 
  Installing       : unbound-libs-1.16.2-3.el9_3.5.x86_64                   2/4 
  Running scriptlet: unbound-libs-1.16.2-3.el9_3.5.x86_64                   2/4 
Created symlink /etc/systemd/system/timers.target.wants/unbound-anchor.timer → /usr/lib/systemd/system/unbound-anchor.timer.

  Installing       : gnutls-dane-3.8.3-4.el9_4.x86_64                       3/4 
  Installing       : gnutls-utils-3.8.3-4.el9_4.x86_64                      4/4 
  Running scriptlet: gnutls-utils-3.8.3-4.el9_4.x86_64                      4/4 
  Verifying        : protobuf-c-1.3.3-13.el9.x86_64                         1/4 
  Verifying        : unbound-libs-1.16.2-3.el9_3.5.x86_64                   2/4 
  Verifying        : gnutls-utils-3.8.3-4.el9_4.x86_64                      3/4 
  Verifying        : gnutls-dane-3.8.3-4.el9_4.x86_64                       4/4 

Installed:
  gnutls-dane-3.8.3-4.el9_4.x86_64     gnutls-utils-3.8.3-4.el9_4.x86_64       
  protobuf-c-1.3.3-13.el9.x86_64       unbound-libs-1.16.2-3.el9_3.5.x86_64    

Complete!
OVAL test results details

package gnutls-utils is installed  oval:ssg-test_package_gnutls-utils_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gnutls-utils_installed:obj:1 of type rpminfo_object
Name
gnutls-utils
Ensure nss-tools is installedxccdf_org.ssgproject.content_rule_package_nss-tools_installed medium

Ensure nss-tools is installed

Rule IDxccdf_org.ssgproject.content_rule_package_nss-tools_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_nss-tools_installed:def:1
Time2024-08-21T12:38:14+00:00
Severitymedium
References:
osppFMT_SMF_EXT.1
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257840r925507_rule
Description
The nss-tools package can be installed with the following command:
$ sudo dnf install nss-tools
Rationale
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the nss-tools package to install command-line tools to manipulate the NSS certificate and key database.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:04 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package          Architecture  Version                  Repository        Size
================================================================================
Installing:
 nss-tools        x86_64        3.90.0-7.el9_4           appstream        431 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 431 k
Installed size: 1.3 M
Downloading Packages:
nss-tools-3.90.0-7.el9_4.x86_64.rpm             337 kB/s | 431 kB     00:01    
--------------------------------------------------------------------------------
Total                                           288 kB/s | 431 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : nss-tools-3.90.0-7.el9_4.x86_64                        1/1 
  Running scriptlet: nss-tools-3.90.0-7.el9_4.x86_64                        1/1 
  Verifying        : nss-tools-3.90.0-7.el9_4.x86_64                        1/1 

Installed:
  nss-tools-3.90.0-7.el9_4.x86_64                                               

Complete!
OVAL test results details

package nss-tools is installed  oval:ssg-test_package_nss-tools_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_nss-tools_installed:obj:1 of type rpminfo_object
Name
nss-tools
Install rng-tools Packagexccdf_org.ssgproject.content_rule_package_rng-tools_installed low

Install rng-tools Package

Rule IDxccdf_org.ssgproject.content_rule_package_rng-tools_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rng-tools_installed:def:1
Time2024-08-21T12:34:27+00:00
Severitylow
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257841r925510_rule
Description
The rng-tools package can be installed with the following command:
$ sudo dnf install rng-tools
Rationale
rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.
OVAL test results details

package rng-tools is installed  oval:ssg-test_package_rng-tools_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedrng-toolsx86_64(none)1.el96.160:6.16-1.el90rng-tools-0:6.16-1.el9.x86_64
Install subscription-manager Packagexccdf_org.ssgproject.content_rule_package_subscription-manager_installed medium

Install subscription-manager Package

Rule IDxccdf_org.ssgproject.content_rule_package_subscription-manager_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_subscription-manager_installed:def:1
Time2024-08-21T12:38:19+00:00
Severitymedium
References:
ism0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495
osppFPT_TUD_EXT.1, FPT_TUD_EXT.2
os-srgSRG-OS-000366-GPOS-00153
stigrefSV-257825r925462_rule
Description
The subscription-manager package can be installed with the following command:
$ sudo dnf install subscription-manager
Rationale
Red Hat Subscription Manager is a local service which tracks installed products and subscriptions on a local system to help manage subscription assignments. It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as . The package provides, among other things, plugins to interact with repositories and subscriptions from the Red Hat entitlement platform - the subscription-manager and product-id plugins.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:07 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
=======================================================================================
 Package                                  Arch    Version                 Repo     Size
=======================================================================================
Installing:
 subscription-manager                     x86_64  1.29.40-1.el9.rocky.0.1 baseos  778 k
Installing dependencies:
 libdnf-plugin-subscription-manager       x86_64  1.29.40-1.el9.rocky.0.1 baseos   60 k
 python3-cloud-what                       x86_64  1.29.40-1.el9.rocky.0.1 baseos   71 k
 python3-decorator                        noarch  4.4.2-6.el9             baseos   27 k
 python3-iniparse                         noarch  0.4-45.el9              baseos   42 k
 python3-inotify                          noarch  0.9.6-25.el9            baseos   52 k
 python3-librepo                          x86_64  1.14.5-2.el9            baseos   47 k
 python3-subscription-manager-rhsm        x86_64  1.29.40-1.el9.rocky.0.1 baseos  153 k
 subscription-manager-rhsm-certificates   noarch  20220623-1.el9          baseos   20 k
 usermode                                 x86_64  1.114-4.el9             baseos  175 k
 virt-what                                x86_64  1.25-5.el9              baseos   33 k

Transaction Summary
=======================================================================================
Install  11 Packages

Total download size: 1.4 M
Installed size: 5.4 M
Downloading Packages:
(1/11): python3-decorator-4.4.2-6.el9.noarch.rp  34 kB/s |  27 kB     00:00    
(2/11): python3-iniparse-0.4-45.el9.noarch.rpm   52 kB/s |  42 kB     00:00    
(3/11): usermode-1.114-4.el9.x86_64.rpm         191 kB/s | 175 kB     00:00    
(4/11): python3-inotify-0.9.6-25.el9.noarch.rpm 406 kB/s |  52 kB     00:00    
(5/11): python3-librepo-1.14.5-2.el9.x86_64.rpm 368 kB/s |  47 kB     00:00    
(6/11): virt-what-1.25-5.el9.x86_64.rpm         130 kB/s |  33 kB     00:00    
(7/11): python3-subscription-manager-rhsm-1.29. 1.1 MB/s | 153 kB     00:00    
(8/11): python3-cloud-what-1.29.40-1.el9.rocky. 277 kB/s |  71 kB     00:00    
(9/11): libdnf-plugin-subscription-manager-1.29 448 kB/s |  60 kB     00:00    
(10/11): subscription-manager-1.29.40-1.el9.roc 1.5 MB/s | 778 kB     00:00    
(11/11): subscription-manager-rhsm-certificates 145 kB/s |  20 kB     00:00    
--------------------------------------------------------------------------------
Total                                           903 kB/s | 1.4 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : subscription-manager-rhsm-certificates-20220623-1.    1/11 
  Installing       : python3-cloud-what-1.29.40-1.el9.rocky.0.1.x86_64     2/11 
  Installing       : python3-iniparse-0.4-45.el9.noarch                    3/11 
  Installing       : python3-subscription-manager-rhsm-1.29.40-1.el9.ro    4/11 
  Installing       : libdnf-plugin-subscription-manager-1.29.40-1.el9.r    5/11 
  Installing       : python3-librepo-1.14.5-2.el9.x86_64                   6/11 
  Installing       : python3-inotify-0.9.6-25.el9.noarch                   7/11 
  Installing       : virt-what-1.25-5.el9.x86_64                           8/11 
  Installing       : usermode-1.114-4.el9.x86_64                           9/11 
  Installing       : python3-decorator-4.4.2-6.el9.noarch                 10/11 
  Running scriptlet: subscription-manager-1.29.40-1.el9.rocky.0.1.x86_6   11/11 
  Installing       : subscription-manager-1.29.40-1.el9.rocky.0.1.x86_6   11/11 
  Running scriptlet: subscription-manager-1.29.40-1.el9.rocky.0.1.x86_6   11/11 
Created symlink /etc/systemd/system/multi-user.target.wants/rhsmcertd.service → /usr/lib/systemd/system/rhsmcertd.service.

  Verifying        : python3-decorator-4.4.2-6.el9.noarch                  1/11 
  Verifying        : usermode-1.114-4.el9.x86_64                           2/11 
  Verifying        : python3-iniparse-0.4-45.el9.noarch                    3/11 
  Verifying        : virt-what-1.25-5.el9.x86_64                           4/11 
  Verifying        : python3-inotify-0.9.6-25.el9.noarch                   5/11 
  Verifying        : python3-librepo-1.14.5-2.el9.x86_64                   6/11 
  Verifying        : subscription-manager-1.29.40-1.el9.rocky.0.1.x86_6    7/11 
  Verifying        : python3-subscription-manager-rhsm-1.29.40-1.el9.ro    8/11 
  Verifying        : python3-cloud-what-1.29.40-1.el9.rocky.0.1.x86_64     9/11 
  Verifying        : libdnf-plugin-subscription-manager-1.29.40-1.el9.r   10/11 
  Verifying        : subscription-manager-rhsm-certificates-20220623-1.   11/11 

Installed:
  libdnf-plugin-subscription-manager-1.29.40-1.el9.rocky.0.1.x86_64             
  python3-cloud-what-1.29.40-1.el9.rocky.0.1.x86_64                             
  python3-decorator-4.4.2-6.el9.noarch                                          
  python3-iniparse-0.4-45.el9.noarch                                            
  python3-inotify-0.9.6-25.el9.noarch                                           
  python3-librepo-1.14.5-2.el9.x86_64                                           
  python3-subscription-manager-rhsm-1.29.40-1.el9.rocky.0.1.x86_64              
  subscription-manager-1.29.40-1.el9.rocky.0.1.x86_64                           
  subscription-manager-rhsm-certificates-20220623-1.el9.noarch                  
  usermode-1.114-4.el9.x86_64                                                   
  virt-what-1.25-5.el9.x86_64                                                   

Complete!
OVAL test results details

package subscription-manager is installed  oval:ssg-test_package_subscription-manager_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_subscription-manager_installed:obj:1 of type rpminfo_object
Name
subscription-manager
Uninstall gssproxy Packagexccdf_org.ssgproject.content_rule_package_gssproxy_removed medium

Uninstall gssproxy Package

Rule IDxccdf_org.ssgproject.content_rule_package_gssproxy_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_gssproxy_removed:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000381, CCI-000366
os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
stigrefSV-257832r925483_rule
Description
The gssproxy package can be removed with the following command:
$ sudo dnf erase gssproxy
Rationale
gssproxy is a proxy for GSS API credential handling.
OVAL test results details

package gssproxy is removed  oval:ssg-test_package_gssproxy_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type rpminfo_object
Name
gssproxy
Uninstall iprutils Packagexccdf_org.ssgproject.content_rule_package_iprutils_removed medium

Uninstall iprutils Package

Rule IDxccdf_org.ssgproject.content_rule_package_iprutils_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_iprutils_removed:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
stigrefSV-257833r925486_rule
Description
The iprutils package can be removed with the following command:
$ sudo dnf erase iprutils
Rationale
iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.
OVAL test results details

package iprutils is removed  oval:ssg-test_package_iprutils_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_iprutils_removed:obj:1 of type rpminfo_object
Name
iprutils
Uninstall tuned Packagexccdf_org.ssgproject.content_rule_package_tuned_removed medium

Uninstall tuned Package

Rule IDxccdf_org.ssgproject.content_rule_package_tuned_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_tuned_removed:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
stigrefSV-257834r925489_rule
Description
The tuned package can be removed with the following command:
$ sudo dnf erase tuned
Rationale
tuned contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage.
OVAL test results details

package tuned is removed  oval:ssg-test_package_tuned_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tuned_removed:obj:1 of type rpminfo_object
Name
tuned
Ensure dnf Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating low

Ensure dnf Removes Previous Package Versions

Rule IDxccdf_org.ssgproject.content_rule_clean_components_post_updating
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-clean_components_post_updating:def:1
Time2024-08-21T12:34:27+00:00
Severitylow
References:
cis-csc18, 20, 4
cobit5APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02
cui3.4.8
disaCCI-002617
isa-62443-20094.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9
iso27001-2013A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
nistSI-2(6), CM-11(a), CM-11(b), CM-6(a)
nist-csfID.RA-1, PR.IP-12
os-srgSRG-OS-000437-GPOS-00194
stigrefSV-257824r925459_rule
Description
dnf should be configured to remove previous software components after new versions have been installed. To configure dnf to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/dnf/dnf.conf.
Rationale
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.
OVAL test results details

check value of clean_requirements_on_remove in /etc/dnf/dnf.conf  oval:ssg-test_yum_clean_components_post_updating:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/dnf/dnf.confclean_requirements_on_remove=True
Ensure gpgcheck Enabled In Main dnf Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated high

Ensure gpgcheck Enabled In Main dnf Configuration

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_globally_activated:def:1
Time2024-08-21T12:34:27+00:00
Severityhigh
References:
cis-csc11, 2, 3, 9
cjis5.10.4.1
cobit5APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02
cui3.4.8
disaCCI-001749
hipaa164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
isa-62443-20094.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6
iso27001-2013A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4
nistCM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b)
nist-csfPR.DS-6, PR.DS-8, PR.IP-1
osppFPT_TUD_EXT.1, FPT_TUD_EXT.2
pcidssReq-6.2
os-srgSRG-OS-000366-GPOS-00153
anssiR59
cis1.2.2
pcidss46.3.3
stigrefSV-257820r925447_rule
Description
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure dnf to check package signatures before installing them, ensure the following line appears in /etc/dnf/dnf.conf in the [main] section:
gpgcheck=1
Rationale
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
OVAL test results details

check value of gpgcheck in /etc/dnf/dnf.conf  oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/dnf/dnf.confgpgcheck=1
Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages high

Ensure gpgcheck Enabled for Local Packages

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_local_packages:def:1
Time2024-08-21T12:34:27+00:00
Severityhigh
References:
cis-csc11, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05
cui3.4.8
disaCCI-001749
hipaa164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
nistCM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10)
nist-csfPR.IP-1
osppFPT_TUD_EXT.1, FPT_TUD_EXT.2
os-srgSRG-OS-000366-GPOS-00153
anssiR59
stigrefSV-257821r925450_rule
Description
dnf should be configured to verify the signature(s) of local packages prior to installation. To configure dnf to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf.
Rationale
Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
OVAL test results details

check value of localpkg_gpgcheck in /etc/dnf/dnf.conf  oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/dnf/dnf.conflocalpkg_gpgcheck=1
Ensure gpgcheck Enabled for All dnf Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled high

Ensure gpgcheck Enabled for All dnf Package Repositories

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_never_disabled:def:1
Time2024-08-21T12:34:27+00:00
Severityhigh
References:
cis-csc11, 2, 3, 9
cjis5.10.4.1
cobit5APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02
cui3.4.8
disaCCI-001749
hipaa164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
isa-62443-20094.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6
iso27001-2013A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4
nistCM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b)
nist-csfPR.DS-6, PR.DS-8, PR.IP-1
osppFPT_TUD_EXT.1, FPT_TUD_EXT.2
pcidssReq-6.2
os-srgSRG-OS-000366-GPOS-00153
anssiR59
pcidss46.3.3
stigrefSV-257822r925453_rule
Description
To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
Rationale
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."
OVAL test results details

check for existence of gpgcheck=0 in /etc/yum.repos.d/ files  oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/yum.repos.d.*^\s*gpgcheck\s*=\s*0\s*$1
Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed high

Ensure Red Hat GPG Key Installed

Rule IDxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_redhat_gpgkey_installed:def:1
Time2024-08-21T12:34:27+00:00
Severityhigh
References:
cis-csc11, 2, 3, 9
cjis5.10.4.1
cobit5APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02
cui3.4.8
disaCCI-001749
hipaa164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
isa-62443-20094.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4
isa-62443-2013SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6
iso27001-2013A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4
nerc-cipCIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nistCM-5(3), SI-7, SC-12, SC-12(3), CM-6(a)
nist-csfPR.DS-6, PR.DS-8, PR.IP-1
osppFPT_TUD_EXT.1, FPT_TUD_EXT.2
pcidssReq-6.2
os-srgSRG-OS-000366-GPOS-00153
anssiR59
pcidss46.3.3
stigrefSV-257819r925444_rule
Description
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Rationale
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

Red Hat release key package is installed  oval:ssg-test_redhat_package_gpgkey-fd431d51-4ae0493b_installed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
falsegpg-pubkey(none)(none)5631588cbe1229cf0:be1229cf-5631588c0gpg-pubkey-0:be1229cf-5631588c.(none)
falsegpg-pubkey(none)(none)6279464b350d275d0:350d275d-6279464b0gpg-pubkey-0:350d275d-6279464b.(none)
falsegpg-pubkey(none)(none)613798eb3228467c0:3228467c-613798eb0gpg-pubkey-0:3228467c-613798eb.(none)

Red Hat auxiliary key package is installed  oval:ssg-test_redhat_package_gpgkey-5a6340b3-6229229e_installed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
falsegpg-pubkey(none)(none)5631588cbe1229cf0:be1229cf-5631588c0gpg-pubkey-0:be1229cf-5631588c.(none)
falsegpg-pubkey(none)(none)6279464b350d275d0:350d275d-6279464b0gpg-pubkey-0:350d275d-6279464b.(none)
falsegpg-pubkey(none)(none)613798eb3228467c0:3228467c-613798eb0gpg-pubkey-0:3228467c-613798eb.(none)

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Check os-release ID  oval:ssg-test_centos9_name:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/os-releaseID="rocky"

Check os-release VERSION_ID  oval:ssg-test_centos9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos9:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

CentOS9 key package is installed  oval:ssg-test_redhat_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
falsegpg-pubkey(none)(none)5631588cbe1229cf0:be1229cf-5631588c0gpg-pubkey-0:be1229cf-5631588c.(none)
falsegpg-pubkey(none)(none)6279464b350d275d0:350d275d-6279464b0gpg-pubkey-0:350d275d-6279464b.(none)
falsegpg-pubkey(none)(none)613798eb3228467c0:3228467c-613798eb0gpg-pubkey-0:3228467c-613798eb.(none)

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Check os-release ID  oval:ssg-test_rl9_name:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/os-releaseID="rocky"

Check os-release ID  oval:ssg-test_rl9_name:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/os-releaseID="rocky"

Check os-release VERSION_ID  oval:ssg-test_rl9_version:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/os-releaseVERSION_ID="9.4"

Check os-release VERSION_ID  oval:ssg-test_rl9_version:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/os-releaseVERSION_ID="9.4"

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFamily
trueunix

Check os-release ID  oval:ssg-test_rl9_name:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/os-releaseID="rocky"

Check os-release ID  oval:ssg-test_rl9_name:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/os-releaseID="rocky"

Check os-release VERSION_ID  oval:ssg-test_rl9_version:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/os-releaseVERSION_ID="9.4"

Check os-release VERSION_ID  oval:ssg-test_rl9_version:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/os-releaseVERSION_ID="9.4"

Rocky Linux 9 key package is installed  oval:ssg-test_redhat_package_gpgkey-350d275d-6279464b_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
falsegpg-pubkey(none)(none)5631588cbe1229cf0:be1229cf-5631588c0gpg-pubkey-0:be1229cf-5631588c.(none)
truegpg-pubkey(none)(none)6279464b350d275d0:350d275d-6279464b0gpg-pubkey-0:350d275d-6279464b.(none)
falsegpg-pubkey(none)(none)613798eb3228467c0:3228467c-613798eb0gpg-pubkey-0:3228467c-613798eb.(none)
Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date medium

Ensure Software Patches Installed

Rule IDxccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc18, 20, 4
cjis5.10.4.1
cobit5APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02
disaCCI-000366, CCI-001227
isa-62443-20094.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9
iso27001-2013A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
nistSI-2(5), SI-2(c), CM-6(a)
nist-csfID.RA-1, PR.IP-12
osppFMT_MOF_EXT.1
pcidssReq-6.2
os-srgSRG-OS-000480-GPOS-00227
anssiR61
pcidss46.3.3
stigrefSV-257778r925321_rule
Description


NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Rationale
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Warnings
warning  Red Hat Enterprise Linux 9 does not have a corresponding OVAL CVE Feed. Therefore, this will result in a "not checked" result during a scan.
Evaluation messages
info 
No candidate or applicable check found.
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled medium

Enable GNOME3 Login Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.9
disaCCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistAC-8(a), AC-8(b), AC-8(c)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
os-srgSRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
cis1.8.2
stigrefSV-258012r926023_rule, SV-258013r926026_rule
Description
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue medium

Modify the System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_banner_etc_issue
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-banner_etc_issue:def:1
Time2024-08-21T12:38:19+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.9
disaCCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistAC-8(a), AC-8(c)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
os-srgSRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
cis1.7.2
stigrefSV-257779r925324_rule
Description
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

correct banner in /etc/issue  oval:ssg-test_banner_etc_issue:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/issue\S Kernel \r on an \m
Limit Password Reuse: password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth medium

Limit Password Reuse: password-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwhistory_remember_password_auth:def:1
Time2024-08-21T12:38:20+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cjis5.6.2.1.1
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.5.8
disaCCI-000200
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(f), IA-5(1)(e)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
pcidssReq-8.2.5
os-srgSRG-OS-000077-GPOS-00045
cis5.5.3
pcidss48.3.7
stigrefSV-258092r926263_rule
Description
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature:
authselect enable-feature with-pwhistory
Otherwise, it should be enabled using an authselect custom profile.

Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files.

The value for remember option must be equal or greater than 5
Rationale
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.
warning  Newer versions of authselect contain an authselect feature to easily and properly enable pam_pwhistory.so module. If this feature is not yet available in your system, an authselect custom profile must be used to avoid integrity issues in PAM files. If a custom profile was created and used in the system before this authselect feature was available, the new feature can't be used with this custom profile and the remediation will fail. In this case, the custom profile should be recreated or manually updated.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-19.ZwsZYO
Changes were successfully applied.
Current configuration is valid.
New profile was created at /etc/authselect/custom/hardening
Backup stored at /var/lib/authselect/backups/before-hardening-custom-profile
Changes were successfully applied.
Profile "custom/hardening" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/after-hardening-custom-profile
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.64YRMq
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.2xWuHs
Changes were successfully applied.
OVAL test results details

Check pam_pwhistory.so presence in /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
requisite
required
requisite,required
^\s*password\s+(?:requisite)\s+pam_pwhistory\.so.*$
^\s*password\s+(?:required)\s+pam_pwhistory\.so.*$
/etc/pam.d/password-auth1

Check remember parameter is present and correct in /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pamd:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_pamd:obj:1 of type textfilecontent54_object
FilepathPatternInstance
5
^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$
/etc/pam.d/password-auth1

Check the absence of remember parameter in /etc/security/pwhistory.conf  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pwhistory_conf:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\s*remember\s*=\s*([0-9]+)^/etc/security/pwhistory.conf$1

Check remember parameter is absent in /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pamd:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_pamd:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$/etc/pam.d/password-auth1

Check remember parameter is present and correct in /etc/security/pwhistory.conf  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
5
^\s*remember\s*=\s*([0-9]+)
^/etc/security/pwhistory.conf$1
Limit Password Reuse: system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth medium

Limit Password Reuse: system-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwhistory_remember_system_auth:def:1
Time2024-08-21T12:38:20+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cjis5.6.2.1.1
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.5.8
disaCCI-000200
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(f), IA-5(1)(e)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
pcidssReq-8.2.5
os-srgSRG-OS-000077-GPOS-00045
cis5.5.3
pcidss48.3.7
stigrefSV-258093r926266_rule
Description
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature:
authselect enable-feature with-pwhistory
Otherwise, it should be enabled using an authselect custom profile.

Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files.

The value for remember option must be equal or greater than 5
Rationale
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.
warning  Newer versions of authselect contain an authselect feature to easily and properly enable pam_pwhistory.so module. If this feature is not yet available in your system, an authselect custom profile must be used to avoid integrity issues in PAM files.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.mbtx4t
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.qPLc4D
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.wgUlKN
Changes were successfully applied.
OVAL test results details

Check pam_pwhistory.so presence in /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
requisite
required
requisite,required
^\s*password\s+(?:requisite)\s+pam_pwhistory\.so.*$
^\s*password\s+(?:required)\s+pam_pwhistory\.so.*$
/etc/pam.d/system-auth1

Check remember parameter is present and correct in /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pamd:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_pamd:obj:1 of type textfilecontent54_object
FilepathPatternInstance
5
^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$
/etc/pam.d/system-auth1

Check the absence of remember parameter in /etc/security/pwhistory.conf  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pwhistory_conf:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\s*remember\s*=\s*([0-9]+)^/etc/security/pwhistory.conf$1

Check remember parameter is absent in /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pamd:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_pamd:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$/etc/pam.d/system-auth1

Check remember parameter is present and correct in /etc/security/pwhistory.conf  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pwhistory_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
5
^\s*remember\s*=\s*([0-9]+)
^/etc/security/pwhistory.conf$1
Account Lockouts Must Be Loggedxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit medium

Account Lockouts Must Be Logged

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_audit:def:1
Time2024-08-21T12:38:20+00:00
Severitymedium
References:
disaCCI-000044
nistAC-7 (a)
os-srgSRG-OS-000021-GPOS-00005
stigrefSV-258070r926197_rule
Description
PAM faillock locks an account due to excessive password failures, this event must be logged.
Rationale
Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.2rZ4Zs
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.MEpE3C
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.YyIMn5
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.k9GuW6
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-20.aM3mda
Changes were successfully applied.
OVAL test results details

Check the presence of audit parameter in system-auth  oval:ssg-test_pam_faillock_audit_parameter_system_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit/etc/pam.d/system-auth1

Check the presence of audit parameter in password-auth  oval:ssg-test_pam_faillock_audit_parameter_password_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit/etc/pam.d/password-auth1

Check the absence of audit parameter in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_audit_parameter_no_faillock_conf:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/security/faillock.conf^\s*audit1

Check the absence of audit parameter in system-auth  oval:ssg-test_pam_faillock_audit_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit/etc/pam.d/system-auth1

Check the absence of audit parameter in password-auth  oval:ssg-test_pam_faillock_audit_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit/etc/pam.d/password-auth1

Check the expected audit value in in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_audit_parameter_faillock_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/security/faillock.conf^\s*audit1
Lock Accounts After Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny medium

Lock Accounts After Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_deny:def:1
Time2024-08-21T12:38:21+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cjis5.5.3
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.8
disaCCI-000044, CCI-002236, CCI-002237, CCI-002238
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a), AC-7(a)
nist-csfPR.AC-7
osppFIA_AFL.1
pcidssReq-8.1.6
os-srgSRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
anssiR31
cis5.5.2
pcidss48.3.4
stigrefSV-258054r926149_rule
Description
This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. Ensure that the file /etc/security/faillock.conf contains the following entry: deny = <count> Where count should be less than or equal to 3 and greater than 0. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.a2VrBi
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.7dzsVN
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.7e7J4z
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.6wbJ3q
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.efLoiY
Changes were successfully applied.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail^/etc/pam.d/system-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so^/etc/pam.d/system-auth$1

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so^/etc/pam.d/password-auth$1

Check the expected deny value in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
^/etc/pam.d/system-auth$1

Check the expected deny value in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
^/etc/pam.d/password-auth$1

Check the absence of deny parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/security/faillock.confdeny = 3

Check the absence of deny parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)^/etc/pam.d/system-auth$1

Check the absence of deny parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)^/etc/pam.d/password-auth$1

Check the expected deny value in in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/security/faillock.confdeny = 3
Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root medium

Configure the root Account for Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_deny_root:def:1
Time2024-08-21T12:38:21+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
disaCCI-002238, CCI-000044
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a), AC-7(b), IA-5(c)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
os-srgSRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
anssiR31
stigrefSV-258055r926152_rule
Description
This rule configures the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.xcOzr3
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.2AFdfV
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.tnsKE0
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.nxYzx6
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.aoxJUq
Changes were successfully applied.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one pattern occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail^/etc/pam.d/system-auth$1

One and only one pattern occurrence is expected in account section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so^/etc/pam.d/system-auth$1

One and only one pattern occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail^/etc/pam.d/password-auth$1

One and only one pattern occurrence is expected in account section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so^/etc/pam.d/password-auth$1

Check the expected even_deny_root parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root^/etc/pam.d/system-auth$1

Check the expected even_deny_root parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root^/etc/pam.d/password-auth$1

Check the absence of even_deny_root parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*even_deny_root^/etc/security/faillock.conf$1

Check the absence of even_deny_root parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root^/etc/pam.d/system-auth$1

Check the absence of even_deny_root parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root^/etc/pam.d/password-auth$1

Check the expected even_deny_root parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*even_deny_root^/etc/security/faillock.conf$1
Lock Accounts Must Persistxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir medium

Lock Accounts Must Persist

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_dir:def:1
Time2024-08-21T12:38:23+00:00
Severitymedium
References:
disaCCI-000044, CCI-002238
nistAC-7(b), AC-7(a), AC-7.1(ii)
os-srgSRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
stigrefSV-258060r926167_rule
Description
This rule ensures that the system lock out accounts using pam_faillock.so persist after system reboot. From "pam_faillock" man pages:
Note that the default directory that "pam_faillock" uses is usually cleared on system
boot so the access will be reenabled after system reboot. If that is undesirable, a different
tally directory must be set with the "dir" option.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. The chosen profile expects the directory to be /var/log/faillock.
Rationale
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. In combination with the silent option, user enumeration attacks are also mitigated.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.2ZLHiq
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.asNBBI
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.1P0L7E
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.c1A00Q
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-21.DCerNv
Changes were successfully applied.
Relabeled /var/log/faillock from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:faillog_t:s0
OVAL test results details

Check that the expected dir value in system-auth is present both with preauth and authfail  oval:ssg-test_pam_faillock_dir_parameter_system_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_dir_parameter_system_auth:obj:1 of type variable_object
Var ref
oval:ssg-var_faillock_dir_set_both_preauth_authfail_system_auth:var:1

Check that the expected dir value in password-auth is present both with preauth and authfail  oval:ssg-test_pam_faillock_dir_parameter_password_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_dir_parameter_password_auth:obj:1 of type variable_object
Var ref
oval:ssg-var_faillock_dir_set_both_preauth_authfail_password_auth:var:1

Check the absence of dir parameter in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_dir_parameter_no_faillock_conf:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_dir_parameter_faillock_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
dir\s*=\s*(\S+|"[^"]+)
^[\s]*dir\s*=\s*(\S+|"[^"]+)
/etc/security/faillock.conf1

Check the absence of dir parameter in system-auth  oval:ssg-test_pam_faillock_dir_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_dir_parameter_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstanceFilter
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]*dir\s*=\s*(\S+|"[^"]+)
dir\s*=\s*(\S+|"[^"]+)
/etc/pam.d/system-auth1oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1

Check the absence of dir parameter in password-auth  oval:ssg-test_pam_faillock_dir_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_dir_parameter_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstanceFilter
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]*dir\s*=\s*(\S+|"[^"]+)
dir\s*=\s*(\S+|"[^"]+)
/etc/pam.d/password-auth1oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1

Check the expected dir value in in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_dir_parameter_faillock_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_dir_parameter_faillock_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
dir\s*=\s*(\S+|"[^"]+)
^[\s]*dir\s*=\s*(\S+|"[^"]+)
/etc/security/faillock.conf1
Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval medium

Set Interval For Counting Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_interval:def:1
Time2024-08-21T12:38:23+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
disaCCI-000044, CCI-002236, CCI-002237, CCI-002238
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a), AC-7(a)
nist-csfPR.AC-7
osppFIA_AFL.1
os-srgSRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
anssiR31
stigrefSV-258056r926155_rule
Description
Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Ensure that the file /etc/security/faillock.conf contains the following entry: fail_interval = <interval-in-seconds> where interval-in-seconds is 900 or greater. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale
By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.gWBFnX
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.Snq4RQ
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.fSr2Ko
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.xzaKQj
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.LDZatZ
Changes were successfully applied.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail^/etc/pam.d/system-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so^/etc/pam.d/system-auth$1

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so^/etc/pam.d/password-auth$1

Check the expected fail_interval value in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
900
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)
^/etc/pam.d/system-auth$1

Check the expected fail_interval value in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
900
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)
^/etc/pam.d/password-auth$1

Check the absence of fail_interval parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*fail_interval[\s]*=[\s]*([0-9]+)^/etc/security/faillock.conf$1

Check the absence of fail_interval parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)^/etc/pam.d/system-auth$1

Check the absence of fail_interval parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)^/etc/pam.d/password-auth$1

Check the expected fail_interval value in in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
900
^[\s]*fail_interval[\s]*=[\s]*([0-9]+)
^/etc/security/faillock.conf$1
Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time medium

Set Lockout Time for Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cjis5.5.3
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.8
disaCCI-000044, CCI-002236, CCI-002237, CCI-002238
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a), AC-7(b)
nist-csfPR.AC-7
osppFIA_AFL.1
pcidssReq-8.1.7
os-srgSRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
anssiR31
cis5.5.2
pcidss48.3.4
stigrefSV-258057r926158_rule
Description
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. Ensure that the file /etc/security/faillock.conf contains the following entry: unlock_time=<interval-in-seconds> where interval-in-seconds is 0 or greater. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool.
Rationale
By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system supports the new /etc/security/faillock.conf file but the pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and /etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter to /etc/security/faillock.conf to ensure compatibility with authselect tool. The parameters deny and fail_interval, if used, also have to be migrated by their respective remediation.
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.zjOJCL
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.rjvBLP
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.pNJiS6
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.qGg7wP
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-23.i4a6JN
Changes were successfully applied.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail^/etc/pam.d/system-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so^/etc/pam.d/system-auth$1

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so^/etc/pam.d/password-auth$1

Check the expected unlock_time value in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
0
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
^/etc/pam.d/system-auth$1

Check the expected unlock_time value in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
0
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
^/etc/pam.d/password-auth$1

Check the absence of unlock_time parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/security/faillock.confunlock_time=600

Check the absence of unlock_time parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)^/etc/pam.d/system-auth$1

Check the absence of unlock_time parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)^/etc/pam.d/password-auth$1

Check the expected unlock_time value in in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/security/faillock.confunlock_time=600
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit medium

Ensure PAM Enforces Password Requirements - Minimum Digit Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_dcredit:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000194
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
osppFMT_SMF_EXT.1
pcidssReq-8.2.3
os-srgSRG-OS-000071-GPOS-00039
anssiR31
pcidss48.3.6
stigrefSV-258103r926296_rule
Description
The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_dcredit:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/security/pwquality.confdcredit = -1
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Wordsxccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck medium

Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_dictcheck:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
disaCCI-000366
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
os-srgSRG-OS-000480-GPOS-00225
stigrefSV-258110r926317_rule
Description
The pam_pwquality module's dictcheck check if passwords contains dictionary words. When dictcheck is set to 1 passwords will be checked for dictionary words.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with dictionary words may be more vulnerable to password-guessing attacks.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_dictcheck:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_dictcheck:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/security/pwquality\.conf$^\s*dictcheck[\s]*=[\s]*(-?\d+)(?:[\s]|$)1
Ensure PAM Enforces Password Requirements - Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok medium

Ensure PAM Enforces Password Requirements - Minimum Different Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_difok
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_difok:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cjis5.6.2.1.1
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000195
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(b), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
os-srgSRG-OS-000072-GPOS-00040
stigrefSV-258112r926323_rule
Description
The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal 8 to require differing characters when changing passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_difok:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_difok:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/security/pwquality\.conf$^\s*difok[\s]*=[\s]*(-?\d+)(?:[\s]|$)1
Ensure PAM Enforces Password Requirements - Enforce for root Userxccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root medium

Ensure PAM Enforces Password Requirements - Enforce for root User

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_enforce_root:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
disaCCI-000194, CCI-000193, CCI-001619, CCI-000205, CCI-000195, CCI-000192, CCI-000366
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
os-srgSRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000480-GPOS-00225, SRG-OS-000069-GPOS-00037
stigrefSV-258101r926290_rule
Description
The pam_pwquality module's enforce_for_root parameter controls requirements for enforcing password complexity for the root user. Enable the enforce_for_root setting in /etc/security/pwquality.conf to require the root user to use complex passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

tests the presence of 'enforce_for_root' setting in the /etc/security/pwquality.conf file  oval:ssg-test_accounts_password_pam_enforce_root:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_accounts_password_pam_enforce_root:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/security/pwquality.conf^[\s]*enforce_for_root[\s]*$1
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit medium

Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_lcredit:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000193
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
osppFMT_SMF_EXT.1
pcidssReq-8.2.3
os-srgSRG-OS-000070-GPOS-00038
anssiR31
pcidss48.3.6
stigrefSV-258102r926293_rule
Description
The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_lcredit:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/security/pwquality.conflcredit = -1
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat medium

Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_maxclassrepeat:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000195
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
os-srgSRG-OS-000072-GPOS-00040
stigrefSV-258113r926326_rule
Description
The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal 4 to prevent a run of (4 + 1) or more identical characters.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_maxclassrepeat:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/security/pwquality\.conf$^\s*maxclassrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$)1
Set Password Maximum Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat medium

Set Password Maximum Consecutive Repeating Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_maxrepeat:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000195
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
os-srgSRG-OS-000072-GPOS-00040
stigrefSV-258114r926329_rule
Description
The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal 3 to prevent a run of (3 + 1) or more identical characters.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_maxrepeat:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/security/pwquality\.conf$^\s*maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$)1
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass medium

Ensure PAM Enforces Password Requirements - Minimum Different Categories

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_minclass:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000195
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
os-srgSRG-OS-000072-GPOS-00040
anssiR68
cis5.5.1
stigrefSV-258115r926332_rule
Description
The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_minclass:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minclass:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/security/pwquality\.conf$^\s*minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$)1
Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen medium

Ensure PAM Enforces Password Requirements - Minimum Length

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_minlen:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cjis5.6.2.1.1
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000205
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
osppFMT_SMF_EXT.1
pcidssReq-8.2.3
os-srgSRG-OS-000078-GPOS-00046
anssiR31, R68
cis5.5.1
pcidss48.3.6
stigrefSV-258107r926308_rule
Description
The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=15 after pam_pwquality to set minimum password length requirements.
Rationale
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_minlen:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/security/pwquality.confminlen = 12
Ensure PAM Enforces Password Requirements - Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit medium

Ensure PAM Enforces Password Requirements - Minimum Special Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_ocredit:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-001619
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
osppFMT_SMF_EXT.1
os-srgSRG-OS-000266-GPOS-00101
anssiR31
stigrefSV-258109r926314_rule
Description
The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal -1 to require use of a special character in passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_ocredit:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/security/pwquality.confocredit = -1
Ensure PAM password complexity module is enabled in password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth medium

Ensure PAM password complexity module is enabled in password-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwquality_password_auth:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPOS-00227
stigrefSV-258097r926278_rule
Description
To enable PAM password complexity in password-auth file: Edit the password section in /etc/pam.d/password-auth to show password requisite pam_pwquality.so.
Rationale
Enabling PAM password complexity permits to enforce strong passwords and consequently makes the system less prone to dictionary attacks.
OVAL test results details

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwquality_password_auth:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/password-authpassword requisite pam_pwquality.so
Ensure PAM password complexity module is enabled in system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth medium

Ensure PAM password complexity module is enabled in system-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwquality_system_auth:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258098r926281_rule
Description
To enable PAM password complexity in system-auth file: Edit the password section in /etc/pam.d/system-auth to show password requisite pam_pwquality.so.
Rationale
Enabling PAM password complexity permits to enforce strong passwords and consequently makes the system less prone to dictionary attacks.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwquality_system_auth:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-authpassword requisite pam_pwquality.so
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry medium

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_retry:def:1
Time2024-08-21T12:38:24+00:00
Severitymedium
References:
cis-csc1, 11, 12, 15, 16, 3, 5, 9
cjis5.5.3
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000192, CCI-000366
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a), AC-7(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1
osppFMT_MOF_EXT.1
os-srgSRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227
anssiR68
cis5.5.1
stigrefSV-258091r926260_rule
Description
To configure the number of retry prompts that are permitted per-session: Edit the /etc/security/pwquality.conf to include retry=3 , or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.
Rationale
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-24.FSeDsp
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-24.xLBHMM
Changes were successfully applied.
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-24.IQaKox
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-24.kgkruh
Changes were successfully applied.
OVAL test results details

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_password_pam_pwquality_retry_password_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality_retry_system_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_password_pam_pwquality_retry_password_auth_not_set:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality_retry_system_auth_not_set:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_retry_pwquality_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_pwquality_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/security/pwquality.conf^[\s]*retry[\s]*=[\s]*(\d+)(?:[\s]|$)1
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit medium

Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_ucredit:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000192, CCI-000193
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(a), CM-6(a), IA-5(4)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
osppFMT_SMF_EXT.1
pcidssReq-8.2.3
os-srgSRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038
anssiR31
stigrefSV-258111r926320_rule
Description
The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_ucredit:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/security/pwquality.confucredit = -1
Set Password Hashing Algorithm in /etc/libuser.confxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf medium

Set Password Hashing Algorithm in /etc/libuser.conf

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_libuserconf:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cjis5.6.2.2
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.13.11
disaCCI-000196
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0418, 1055, 1402
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(c), CM-6(a)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
pcidssReq-8.2.1
os-srgSRG-OS-000073-GPOS-00041
pcidss48.3.2
stigrefSV-258116r926335_rule
Description
In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:
crypt_style = sha512
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
OVAL test results details

The password hashing algorithm should be set correctly in /etc/libuser.conf  oval:ssg-test_etc_libuser_conf_cryptstyle:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/libuser.conf crypt_style = sha512
Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs medium

Set Password Hashing Algorithm in /etc/login.defs

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_logindefs:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cjis5.6.2.2
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.13.11
disaCCI-000196
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0418, 1055, 1402
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(c), CM-6(a)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
pcidssReq-8.2.1
os-srgSRG-OS-000073-GPOS-00041
cis5.5.4
pcidss48.3.2
stigrefSV-258117r926338_rule
Description
In /etc/login.defs, add or correct the following line to ensure the system will use SHA512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
                  
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
OVAL test results details

The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs  oval:ssg-test_etc_login_defs_encrypt_method:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-variable_last_encrypt_method_instance_value:var:1SHA512
Set PAM''s Password Hashing Algorithm - password-authxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth medium

Set PAM''s Password Hashing Algorithm - password-auth

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_passwordauth:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cjis5.6.2.2
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.13.11
disaCCI-000196, CCI-000803
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism0418, 1055, 1402
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-5(c), IA-5(1)(c), CM-6(a)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
pcidssReq-8.2.1
os-srgSRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
cis5.5.4
stigrefSV-258233r926686_rule
Description
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/password-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...
                  

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
OVAL test results details

check /etc/pam.d/password-auth for correct settings  oval:ssg-test_pam_unix_passwordauth_sha512:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/password-authpassword sufficient pam_unix.so sha512 shadow nullok use_authtok
Set Password Hashing Rounds in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs medium

Set Password Hashing Rounds in /etc/login.defs

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_min_rounds_logindefs:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000196, CCI-000803
os-srgSRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
stigrefSV-258119r926344_rule
Description
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. For example:
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using more hashing rounds makes password cracking attacks more difficult.
OVAL test results details

SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value  oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_default:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MIN_ROUNDS\s*1

SHA_CRYPT_MIN_ROUNDS is explicitly configured in /etc/login.defs and its value most be greater or equal to 5000  oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_present:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_present:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MIN_ROUNDS\s+(\d+)\s*$1

SHA_CRYPT_MAX_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value  oval:ssg-test_etc_login_defs_sha_crypt_max_rounds_default:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_max_rounds_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MAX_ROUNDS\s*1

SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value  oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_default:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MIN_ROUNDS\s*1

SHA_CRYPT_MAX_ROUNDS is explicitly configured in /etc/login.defs and its value most be greater or equal to 5000  oval:ssg-test_etc_login_defs_sha_crypt_max_rounds_present:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_max_rounds_present:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\s*$1
Disallow Configuration to Bypass Password Requirements for Privilege Escalationxccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo medium

Disallow Configuration to Bypass Password Requirements for Privilege Escalation

Rule IDxccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-disallow_bypass_password_sudo:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-002038
nistIA-11
os-srgSRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
stigrefSV-258118r926341_rule
Description
Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
OVAL test results details

Check absence of conf pam_succeed_if in /etc/pam.d/sudo  oval:ssg-test_disallow_bypass_password_sudo:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_disallow_bypass_password_sudo:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/sudo^.*pam_succeed_if.*$1
Install the tmux Packagexccdf_org.ssgproject.content_rule_package_tmux_installed medium

Install the tmux Package

Rule IDxccdf_org.ssgproject.content_rule_package_tmux_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_tmux_installed:def:1
Time2024-08-21T12:38:31+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.10
disaCCI-000058, CCI-000056
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a)
nist-csfPR.AC-7
osppFMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1
os-srgSRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009
stigrefSV-258063r926176_rule
Description
To enable console screen locking, install the tmux package. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 9 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. Instruct users to begin new terminal sessions with the following command:
$ tmux
The console can now be locked with the following key combination:
ctrl+b :lock-session
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The tmux package allows for a session lock to be implemented and configured.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:21 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package        Architecture     Version                 Repository        Size
================================================================================
Installing:
 tmux           x86_64           3.2a-5.el9              baseos           475 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 475 k
Installed size: 1.1 M
Downloading Packages:
tmux-3.2a-5.el9.x86_64.rpm                      347 kB/s | 475 kB     00:01    
--------------------------------------------------------------------------------
Total                                           303 kB/s | 475 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : tmux-3.2a-5.el9.x86_64                                 1/1 
  Running scriptlet: tmux-3.2a-5.el9.x86_64                                 1/1 
  Verifying        : tmux-3.2a-5.el9.x86_64                                 1/1 
Installed products updated.

Installed:
  tmux-3.2a-5.el9.x86_64                                                        

Complete!
OVAL test results details

package tmux is installed  oval:ssg-test_package_tmux_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tmux_installed:obj:1 of type rpminfo_object
Name
tmux
Support session locking with tmux (not enforcing)xccdf_org.ssgproject.content_rule_configure_bashrc_tmux medium

Support session locking with tmux (not enforcing)

Rule IDxccdf_org.ssgproject.content_rule_configure_bashrc_tmux
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:28+00:00
Severitymedium
References:
disaCCI-000056, CCI-000058
os-srgSRG-OS-000031-GPOS-00012, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
stigrefSV-258064r943016_rule
Description
The tmux terminal multiplexer is used to implement automatic session locking. It should be started from /etc/bashrc or drop-in files within /etc/profile.d/.
Rationale
Unlike bash itself, the tmux terminal multiplexer provides a mechanism to lock sessions after period of inactivity. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
Warnings
warning  This rule configures Tmux to be executed in a way that exiting Tmux drops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user.
Configure tmux to lock session after inactivityxccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time medium

Configure tmux to lock session after inactivity

Rule IDxccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:28+00:00
Severitymedium
References:
disaCCI-000057, CCI-000060
osppFMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1
os-srgSRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
stigrefSV-258066r926185_rule
Description
To enable console screen locking in tmux terminal multiplexer after a period of inactivity, the lock-after-time option has to be set to a value greater than 0 and less than or equal to 900 in /etc/tmux.conf.
Rationale
Locking the session after a period of inactivity limits the potential exposure if the session is left unattended.
Configure the tmux Lock Commandxccdf_org.ssgproject.content_rule_configure_tmux_lock_command medium

Configure the tmux Lock Command

Rule IDxccdf_org.ssgproject.content_rule_configure_tmux_lock_command
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:28+00:00
Severitymedium
References:
disaCCI-000056, CCI-000058
nistAC-11(a), AC-11(b), CM-6(a)
osppFMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1
os-srgSRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
stigrefSV-258065r926182_rule
Description
To enable console screen locking in tmux terminal multiplexer, the vlock command must be configured to be used as a locking mechanism. Add the following line to /etc/tmux.conf:
set -g lock-command vlock
. The console can now be locked with the following key combination:
ctrl+b :lock-session
Rationale
The tmux package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The tmux default configuration does not contain an effective session lock.
Configure the tmux lock session key bindingxccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding low

Configure the tmux lock session key binding

Rule IDxccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:28+00:00
Severitylow
References:
disaCCI-000056
os-srgSRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
stigrefSV-258065r926182_rule
Description
To set a key binding for the screen locking in tmux terminal multiplexer, the session-lock command must be bound to a key. Add the following line to /etc/tmux.conf:
bind X lock-session
. The console can now be locked with the following key combination:
Ctrl+b Shift+x
Rationale
The tmux package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The tmux default configuration does not contain an effective session lock.
Prevent user from disabling the screen lockxccdf_org.ssgproject.content_rule_no_tmux_in_shells low

Prevent user from disabling the screen lock

Rule IDxccdf_org.ssgproject.content_rule_no_tmux_in_shells
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_tmux_in_shells:def:1
Time2024-08-21T12:34:28+00:00
Severitylow
References:
disaCCI-000056, CCI-000058
nistCM-6
osppFMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1
os-srgSRG-OS-000324-GPOS-00125, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
stigrefSV-258067r926188_rule
Description
The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.
Rationale
Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.
OVAL test results details

check that tmux is not listed in /etc/shells  oval:ssg-test_no_tmux_in_shells:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_no_tmux_in_shells:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/shellstmux\s*$1
Install the opensc Package For Multifactor Authenticationxccdf_org.ssgproject.content_rule_package_opensc_installed medium

Install the opensc Package For Multifactor Authentication

Rule IDxccdf_org.ssgproject.content_rule_package_opensc_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_opensc_installed:def:1
Time2024-08-21T12:38:35+00:00
Severitymedium
References:
disaCCI-001954, CCI-001953
ism1382, 1384, 1386
nistCM-6(a)
os-srgSRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161
stigrefSV-258126r926365_rule
Description
The opensc package can be installed with the following command:
$ sudo dnf install opensc
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:25 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package               Architecture  Version                Repository     Size
================================================================================
Installing:
 opensc                x86_64        0.23.0-4.el9_3         baseos        1.3 M
Installing dependencies:
 pcsc-lite             x86_64        1.9.4-1.el9            baseos         91 k
 pcsc-lite-ccid        x86_64        1.5.2-1.el9            baseos        326 k
 pcsc-lite-libs        x86_64        1.9.4-1.el9            baseos         27 k

Transaction Summary
================================================================================
Install  4 Packages

Total download size: 1.7 M
Installed size: 5.8 M
Downloading Packages:
(1/4): pcsc-lite-libs-1.9.4-1.el9.x86_64.rpm     41 kB/s |  27 kB     00:00    
(2/4): pcsc-lite-ccid-1.5.2-1.el9.x86_64.rpm    371 kB/s | 326 kB     00:00    
(3/4): opensc-0.23.0-4.el9_3.x86_64.rpm         1.3 MB/s | 1.3 MB     00:00    
(4/4): pcsc-lite-1.9.4-1.el9.x86_64.rpm         267 kB/s |  91 kB     00:00    
--------------------------------------------------------------------------------
Total                                           1.4 MB/s | 1.7 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : pcsc-lite-libs-1.9.4-1.el9.x86_64                      1/4 
  Installing       : pcsc-lite-1.9.4-1.el9.x86_64                           2/4 
  Running scriptlet: pcsc-lite-1.9.4-1.el9.x86_64                           2/4 
Created symlink /etc/systemd/system/sockets.target.wants/pcscd.socket → /usr/lib/systemd/system/pcscd.socket.

  Installing       : pcsc-lite-ccid-1.5.2-1.el9.x86_64                      3/4 
  Running scriptlet: pcsc-lite-ccid-1.5.2-1.el9.x86_64                      3/4 
  Installing       : opensc-0.23.0-4.el9_3.x86_64                           4/4 
  Running scriptlet: opensc-0.23.0-4.el9_3.x86_64                           4/4 
  Verifying        : opensc-0.23.0-4.el9_3.x86_64                           1/4 
  Verifying        : pcsc-lite-ccid-1.5.2-1.el9.x86_64                      2/4 
  Verifying        : pcsc-lite-libs-1.9.4-1.el9.x86_64                      3/4 
  Verifying        : pcsc-lite-1.9.4-1.el9.x86_64                           4/4 
Installed products updated.

Installed:
  opensc-0.23.0-4.el9_3.x86_64           pcsc-lite-1.9.4-1.el9.x86_64          
  pcsc-lite-ccid-1.5.2-1.el9.x86_64      pcsc-lite-libs-1.9.4-1.el9.x86_64     

Complete!
OVAL test results details

package opensc is installed  oval:ssg-test_package_opensc_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_opensc_installed:obj:1 of type rpminfo_object
Name
opensc
Install the pcsc-lite packagexccdf_org.ssgproject.content_rule_package_pcsc-lite_installed medium

Install the pcsc-lite package

Rule IDxccdf_org.ssgproject.content_rule_package_pcsc-lite_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_pcsc-lite_installed:def:1
Time2024-08-21T12:38:35+00:00
Severitymedium
References:
disaCCI-001954
ism1382, 1384, 1386
nistCM-6(a)
os-srgSRG-OS-000375-GPOS-00160
stigrefSV-258124r926359_rule
Description
The pcsc-lite package can be installed with the following command:
$ sudo dnf install pcsc-lite
Rationale
The pcsc-lite package must be installed if it is to be available for multifactor authentication using smartcards.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package pcsc-lite is installed  oval:ssg-test_package_pcsc-lite_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_pcsc-lite_installed:obj:1 of type rpminfo_object
Name
pcsc-lite
Install Smart Card Packages For Multifactor Authenticationxccdf_org.ssgproject.content_rule_install_smartcard_packages medium

Install Smart Card Packages For Multifactor Authentication

Rule IDxccdf_org.ssgproject.content_rule_install_smartcard_packages
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-install_smartcard_packages:def:1
Time2024-08-21T12:38:39+00:00
Severitymedium
References:
disaCCI-000765, CCI-001948, CCI-001953, CCI-001954
nistCM-6(a)
pcidssReq-8.3
os-srgSRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000377-GPOS-00162
stigrefSV-257838r925501_rule
Description
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The openssl-pkcs11 package can be installed with the following command:
$ sudo dnf install openssl-pkcs11
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:29 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package               Architecture  Version                Repository     Size
================================================================================
Installing:
 openssl-pkcs11        x86_64        0.4.11-9.el9           baseos         71 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 71 k
Installed size: 201 k
Downloading Packages:
openssl-pkcs11-0.4.11-9.el9.x86_64.rpm          113 kB/s |  71 kB     00:00    
--------------------------------------------------------------------------------
Total                                            90 kB/s |  71 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : openssl-pkcs11-0.4.11-9.el9.x86_64                     1/1 
  Running scriptlet: openssl-pkcs11-0.4.11-9.el9.x86_64                     1/1 
  Verifying        : openssl-pkcs11-0.4.11-9.el9.x86_64                     1/1 
Installed products updated.

Installed:
  openssl-pkcs11-0.4.11-9.el9.x86_64                                            

Complete!
OVAL test results details

package openssl-pkcs11 is installed  oval:ssg-test_package_openssl-pkcs11_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_openssl-pkcs11_installed:obj:1 of type rpminfo_object
Name
openssl-pkcs11
Enable the pcscd Servicexccdf_org.ssgproject.content_rule_service_pcscd_enabled medium

Enable the pcscd Service

Rule IDxccdf_org.ssgproject.content_rule_service_pcscd_enabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-service_pcscd_enabled:def:1
Time2024-08-21T12:38:41+00:00
Severitymedium
References:
disaCCI-001954
ism1382, 1384, 1386
nistIA-2(1), IA-2(2), IA-2(3), IA-2(4), IA-2(6), IA-2(7), IA-2(11), CM-6(a)
pcidssReq-8.3
os-srgSRG-OS-000375-GPOS-00160
stigrefSV-258125r926362_rule
Description
The pcscd service can be enabled with the following command:
$ sudo systemctl enable pcscd.service
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package pcsc-lite is installed  oval:ssg-test_service_pcscd_package_pcsc-lite_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_pcscd_package_pcsc-lite_installed:obj:1 of type rpminfo_object
Name
pcsc-lite

Test that the pcscd service is running  oval:ssg-test_service_running_pcscd:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_pcscd:obj:1 of type systemdunitproperty_object
UnitProperty
^pcscd\.(socket|service)$ActiveState

systemd test  oval:ssg-test_multi_user_wants_pcscd:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_pcscd_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount
Configure opensc Smart Card Driversxccdf_org.ssgproject.content_rule_configure_opensc_card_drivers medium

Configure opensc Smart Card Drivers

Rule IDxccdf_org.ssgproject.content_rule_configure_opensc_card_drivers
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_opensc_card_drivers:def:1
Time2024-08-21T12:38:41+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000765, CCI-000766, CCI-000767, CCI-000768, CCI-000771, CCI-000772, CCI-000884
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
ism1382, 1384, 1386
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistIA-2(1), IA-2(2), IA-2(3), IA-2(4), IA-2(6), IA-2(7), IA-2(11), CM-6(a)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
pcidssReq-8.3
os-srgSRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058
stigrefSV-258121r926350_rule
Description
The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is cac. To configure the OpenSC driver, edit the /etc/opensc.conf and add the following line into the file in the app default block, so it will look like:
app default {
   ...
   card_drivers = cac;
}
Rationale
Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Configuring the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Check that card_drivers is configured for opensc  oval:ssg-test_configure_opensc_card_drivers:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_opensc_card_drivers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/opensc.*\.conf$^[\s]+card_drivers[\s]+=[\s]+(\S+);$1
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled medium

Disable debug-shell SystemD Service

Rule IDxccdf_org.ssgproject.content_rule_service_debug-shell_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-service_debug-shell_disabled:def:1
Time2024-08-21T12:38:26+00:00
Severitymedium
References:
cui3.4.5
disaCCI-000366
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
nistCM-6
osppFIA_UAU.1
os-srgSRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
stigrefSV-257786r943026_rule
Description
SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Created symlink /etc/systemd/system/debug-shell.service → /dev/null.
Failed to reset failed state of unit debug-shell.service: Unit debug-shell.service not loaded.
OVAL test results details

package systemd is removed  oval:ssg-service_debug-shell_disabled_test_service_debug-shell_package_systemd_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedsystemdx86_64(none)32.el9_4.62520:252-32.el9_4.60systemd-0:252-32.el9_4.6.x86_64

Test that the debug-shell service is not running  oval:ssg-test_service_not_running_service_debug-shell_disabled_debug-shell:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
truedebug-shell.serviceActiveStateinactive

Test that the property LoadState from the service debug-shell is masked  oval:ssg-test_service_loadstate_is_masked_service_debug-shell_disabled_debug-shell:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
falsedebug-shell.serviceLoadStateloaded
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction high

Disable Ctrl-Alt-Del Burst Action

Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_ctrlaltdel_burstaction:def:1
Time2024-08-21T12:38:26+00:00
Severityhigh
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.4.5
disaCCI-000366
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1), CM-6(a)
nist-csfPR.AC-4, PR.DS-5
osppFAU_GEN.1.2
os-srgSRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
stigrefSV-257784r925339_rule
Description
By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none
Rationale
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
Warnings
warning  Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check if CtrlAltDelBurstAction is set to none  oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/systemd/system.conf(\.d/.*\.conf)?$^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$1
Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot high

Disable Ctrl-Alt-Del Reboot Activation

Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_ctrlaltdel_reboot:def:1
Time2024-08-21T12:38:27+00:00
Severityhigh
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.4.5
disaCCI-000366
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
osppFAU_GEN.1.2
os-srgSRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
stigrefSV-257785r925342_rule
Description
By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
Rationale
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Removed "/etc/systemd/system/ctrl-alt-del.target".
Created symlink /etc/systemd/system/ctrl-alt-del.target → /dev/null.
OVAL test results details

Disable Ctrl-Alt-Del key sequence override exists  oval:ssg-test_disable_ctrlaltdel_exists:tst:1  false

Following items have been found on the system:
Result of item-state comparisonFilepathCanonical path
false/etc/systemd/system/ctrl-alt-del.target/usr/lib/systemd/system/reboot.target
Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot medium

Verify that Interactive Boot is Disabled

Rule IDxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_disable_interactive_boot:def:1
Time2024-08-21T12:34:28+00:00
Severitymedium
References:
cis-csc11, 12, 14, 15, 16, 18, 3, 5
cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
cui3.1.2, 3.4.5
disaCCI-000213
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
iso27001-2013A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistSC-2(1), CM-6(a)
nist-csfPR.AC-4, PR.AC-6, PR.PT-3
osppFIA_UAU.1
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257788r925351_rule
Description
Red Hat Enterprise Linux 9 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 9 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of
systemd.confirm_spawn=(1|yes|true|on)
from the kernel arguments in that file to disable interactive boot. Recovery booting must also be disabled. Confirm that GRUB_DISABLE_RECOVERY=true is set in /etc/default/grub. It is also required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
grub2-mkconfig -o /boot/grub2/grub.cfg
Rationale
Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
OVAL test results details

Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$1

Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd\.confirm_spawn=(?:1|yes|true|on).*$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Configure Logind to terminate idle sessions after certain time of inactivityxccdf_org.ssgproject.content_rule_logind_session_timeout medium

Configure Logind to terminate idle sessions after certain time of inactivity

Rule IDxccdf_org.ssgproject.content_rule_logind_session_timeout
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:28+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
cjis5.5.6
cobit5APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.1.11
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistCM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a)
nist-csfDE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2
osppFMT_SMF_EXT.1.1
pcidssReq-8.1.8
os-srgSRG-OS-000163-GPOS-00072
anssiR32
stigrefSV-258077r926218_rule
Description
To configure logind service to terminate inactive user sessions after 900 seconds, edit the file /etc/systemd/logind.conf. Ensure that there is a section
[Login]
which contains the configuration
StopIdleSessionSec=900
                
.
Rationale
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
Require Authentication for Emergency Systemd Targetxccdf_org.ssgproject.content_rule_require_emergency_target_auth medium

Require Authentication for Emergency Systemd Target

Rule IDxccdf_org.ssgproject.content_rule_require_emergency_target_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-require_emergency_target_auth:def:1
Time2024-08-21T12:34:28+00:00
Severitymedium
References:
cis-csc1, 11, 12, 14, 15, 16, 18, 3, 5
cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
cui3.1.1, 3.4.5
disaCCI-000213
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nistIA-2, AC-3, CM-6(a)
nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
osppFIA_UAU.1
os-srgSRG-OS-000080-GPOS-00048
stigrefSV-258128r926371_rule
Description
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence.

By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd emergency.service to ensure that a password must be entered to access single user mode  oval:ssg-test_require_emergency_service:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/emergency.serviceExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

Tests that the systemd emergency.service is in the emergency.target  oval:ssg-test_require_emergency_service_emergency_target:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/emergency.targetRequires=emergency.service

look for emergency.target in /etc/systemd/system  oval:ssg-test_no_custom_emergency_target:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_target:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^emergency.target$

look for emergency.service in /etc/systemd/system  oval:ssg-test_no_custom_emergency_service:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_service:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^emergency.service$
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth medium

Require Authentication for Single User Mode

Rule IDxccdf_org.ssgproject.content_rule_require_singleuser_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-require_singleuser_auth:def:1
Time2024-08-21T12:34:28+00:00
Severitymedium
References:
cis-csc1, 11, 12, 14, 15, 16, 18, 3, 5
cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
cui3.1.1, 3.4.5
disaCCI-000213
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistIA-2, AC-3, CM-6(a)
nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
osppFIA_UAU.1
os-srgSRG-OS-000080-GPOS-00048
stigrefSV-258129r926374_rule
Description
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode  oval:ssg-test_require_rescue_service:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/rescue.serviceExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

Tests that the systemd rescue.service is in the runlevel1.target  oval:ssg-test_require_rescue_service_runlevel1:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/runlevel1.targetRequires=sysinit.target rescue.service

look for runlevel1.target in /etc/systemd/system  oval:ssg-test_no_custom_runlevel1_target:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^runlevel1.target$

look for rescue.service in /etc/systemd/system  oval:ssg-test_no_custom_rescue_service:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^rescue.service$
Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing medium

Set Existing Passwords Maximum Age

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_set_max_life_existing:def:1
Time2024-08-21T12:38:41+00:00
Severitymedium
References:
disaCCI-000199
nistIA-5(f), IA-5(1)(d), CM-6(a)
os-srgSRG-OS-000076-GPOS-00044
cis5.6.1.1
pcidss48.3.9
stigrefSV-258042r926113_rule
Description
Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command:
$ sudo chage -M 60
                    USER
                  
Rationale
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Compares a specific field in /etc/shadow with a specific variable value  oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_password_set_max_life_existing_password_max_life_existing:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/shadow^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){2}(\d+):(?:[^:]*:){3}(?:[^:]*)$1

Compares a specific field in /etc/shadow with a specific variable value  oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/shadow^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){2}(\d+):(?:[^:]*:){3}(?:[^:]*)$1

Passwords must have the maximum password age set non-empty in /etc/shadow.  oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_not_empty:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/shadowroot:$6$43927$wND0H/IzN/m1VDKPxi4BBk.Rsnsn37W3wi9278FZN97QRaSwxm5Ebo3WI/Z71LLRaOwbzO6kHkSdSOiqmvJ/71:19955::::::
Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing medium

Set Existing Passwords Minimum Age

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_set_min_life_existing:def:1
Time2024-08-21T12:38:41+00:00
Severitymedium
References:
disaCCI-000198
nistIA-5(f), IA-5(1)(d), CM-6(a)
os-srgSRG-OS-000075-GPOS-00043
cis5.6.1.2
stigrefSV-258105r926302_rule
Description
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:
$ sudo chage -m 1 USER
                  
Rationale
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Compares a specific field in /etc/shadow with a specific variable value  oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_password_set_min_life_existing_password_max_life_existing:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/shadow^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:)(\d+):(?:[^:]*:){4}(?:[^:]*)$1

Compares a specific field in /etc/shadow with a specific variable value  oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/shadow^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:)(\d+):(?:[^:]*:){4}(?:[^:]*)$1

Passwords must have the maximum password age set non-empty in /etc/shadow.  oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_not_empty:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/shadowroot:$6$43927$wND0H/IzN/m1VDKPxi4BBk.Rsnsn37W3wi9278FZN97QRaSwxm5Ebo3WI/Z71LLRaOwbzO6kHkSdSOiqmvJ/71:19955::::::
Verify All Account Password Hashes are Shadowed with SHA512xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512 medium

Verify All Account Password Hashes are Shadowed with SHA512

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_all_shadowed_sha512:def:1
Time2024-08-21T12:34:29+00:00
Severitymedium
References:
disaCCI-000196, CCI-000803
nistIA-5(1)(c), IA-5(1).1(v), IA-7, IA-7.1
os-srgSRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
stigrefSV-258231r926680_rule
Description
Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command:
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
OVAL test results details

password hashes are shadowed using sha512  oval:ssg-test_accounts_password_all_shadowed_sha512:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_all_shadowed_sha512:obj:1 of type shadow_object
UsernameFilterFilterFilter
.*oval:ssg-state_accounts_password_all_shadowed_has_no_password:ste:1oval:ssg-state_accounts_password_all_shadowed_has_locked_password:ste:1oval:ssg-state_accounts_password_all_shadowed_sha512:ste:1
Set number of Password Hashing Rounds - password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth medium

Set number of Password Hashing Rounds - password-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_unix_rounds_password_auth:def:1
Time2024-08-21T12:38:41+00:00
Severitymedium
References:
disaCCI-000196
os-srgSRG-OS-000073-GPOS-00041
anssiR68
stigrefSV-258099r926284_rule
Description
Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the rounds option for the pam_unix PAM module.

In file /etc/pam.d/password-auth append rounds=5000 to the pam_unix.so entry, as shown below:
password sufficient pam_unix.so ...existing_options... rounds=5000
                  
The system's default number of rounds is 5000.
Rationale
Using a higher number of rounds makes password cracking attacks more difficult.
Warnings
warning  Setting a high number of hashing rounds makes it more difficult to brute force the password, but requires more CPU resources to authenticate users.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-41.88AvyB
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-41.ddcAGn
Changes were successfully applied.
OVAL test results details

Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/password-auth   oval:ssg-test_password_auth_pam_unix_rounds_is_set:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_password_auth_pam_unix_rounds:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/pam.d/password-auth$^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$1
Set number of Password Hashing Rounds - system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth medium

Set number of Password Hashing Rounds - system-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_unix_rounds_system_auth:def:1
Time2024-08-21T12:38:41+00:00
Severitymedium
References:
disaCCI-000196
os-srgSRG-OS-000073-GPOS-00041
anssiR68
stigrefSV-258100r926287_rule
Description
Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the rounds option for the pam_unix PAM module.

In file /etc/pam.d/system-auth append rounds=5000 to the pam_unix.so entry, as shown below:
password sufficient pam_unix.so ...existing_options... rounds=5000
                  
The system's default number of rounds is 5000.
Rationale
Using a higher number of rounds makes password cracking attacks more difficult.
Warnings
warning  Setting a high number of hashing rounds makes it more difficult to brute force the password, but requires more CPU resources to authenticate users.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-41.StB6PQ
Changes were successfully applied.
Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-41.QyNdpZ
Changes were successfully applied.
OVAL test results details

Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth  oval:ssg-test_system_auth_pam_unix_rounds_is_set:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_system_auth_pam_unix_rounds:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/pam.d/system-auth$^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$1
All GIDs referenced in /etc/passwd must be defined in /etc/groupxccdf_org.ssgproject.content_rule_gid_passwd_group_same low

All GIDs referenced in /etc/passwd must be defined in /etc/group

Rule IDxccdf_org.ssgproject.content_rule_gid_passwd_group_same
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-gid_passwd_group_same:def:1
Time2024-08-21T12:34:29+00:00
Severitylow
References:
cis-csc1, 12, 15, 16, 5
cjis5.5.2
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-000764
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistIA-2, CM-6(a)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
pcidssReq-8.5.a
os-srgSRG-OS-000104-GPOS-00051
cis6.2.3
pcidss48.2.2
stigrefSV-258048r926131_rule
Description
Add a group to the system for each GID referenced without a corresponding group.
Rationale
If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Group Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.
OVAL test results details

Verify all GIDs referenced in /etc/passwd are defined in /etc/group  oval:ssg-test_gid_passwd_group_same:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/passwdbin:x:1:1:
true/etc/passwddaemon:x:2:2:
true/etc/passwdsync:x:5:0:
true/etc/passwdshutdown:x:6:0:
true/etc/passwdhalt:x:7:0:
true/etc/passwdmail:x:8:12:
true/etc/passwdoperator:x:11:0:
true/etc/passwdgames:x:12:100:
true/etc/passwdftp:x:14:50:
true/etc/passwdnobody:x:65534:65534:
true/etc/passwdsystemd-coredump:x:999:997:
true/etc/passwddbus:x:81:81:
true/etc/passwdpolkitd:x:998:995:
true/etc/passwdsshd:x:74:74:
true/etc/passwdsssd:x:997:994:
true/etc/passwdtss:x:59:59:
true/etc/passwdchrony:x:996:993:
true/etc/passwdsystemd-oom:x:991:991:
true/etc/passwddjagaazure:x:1000:1000:
true/etc/passwdmdatp:x:990:990:
true/etc/passwdomi:x:989:988:
true/etc/passwdomsagent:x:988:989:
true/etc/passwdnxautomation:x:987:986:
true/etc/passwdrtkit:x:172:172:
true/etc/passwdpipewire:x:986:985:
true/etc/passwdgeoclue:x:985:984:
true/etc/passwdflatpak:x:984:983:
true/etc/passwdroot:x:0:0:
true/etc/passwdadm:x:3:4:
true/etc/passwdlp:x:4:7:
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords high

Prevent Login to Accounts With Empty Password

Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-no_empty_passwords:def:1
Time2024-08-21T12:38:41+00:00
Severityhigh
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2
cobit5APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10
cui3.1.1, 3.1.5
disaCCI-000366
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nistIA-5(1)(a), IA-5(c), CM-6(a)
nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5
osppFIA_UAU.1
pcidssReq-8.2.3
os-srgSRG-OS-000480-GPOS-00227
cis5.4.1
pcidss48.3.1
stigrefSV-258094r926269_rule
Description
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logins with empty passwords.
Rationale
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Backup stored at /var/lib/authselect/backups/2024-08-21-12-38-41.nR9haF
Changes were successfully applied.
OVAL test results details

make sure nullok is not used in /etc/pam.d/system-auth  oval:ssg-test_no_empty_passwords:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/system-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow nullok use_authtok
not evaluated/etc/pam.d/password-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow nullok use_authtok
Ensure There Are No Accounts With Blank or Null Passwordsxccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow high

Ensure There Are No Accounts With Blank or Null Passwords

Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_empty_passwords_etc_shadow:def:1
Time2024-08-21T12:34:29+00:00
Severityhigh
References:
disaCCI-000366
nistCM-6(b), CM-6.1(iv)
os-srgSRG-OS-000480-GPOS-00227
cis5.6.6, 6.2.2
pcidss42.2.2
stigrefSV-258120r926347_rule
Description
Check the "/etc/shadow" file for blank passwords with the following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding. Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset:
$ sudo passwd [username]
Lock an account:
$ sudo passwd -l [username]
Rationale
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Warnings
warning  Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.
OVAL test results details

make sure there aren't blank or null passwords in /etc/shadow  oval:ssg-test_no_empty_passwords_etc_shadow:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/shadow^[^:]+::.*$1
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero high

Verify Only Root Has UID 0

Rule IDxccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_no_uid_except_zero:def:1
Time2024-08-21T12:34:29+00:00
Severityhigh
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10
cui3.1.1, 3.1.5
disaCCI-000366
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistIA-2, AC-6(5), IA-4(b)
nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5
pcidssReq-8.5
os-srgSRG-OS-000480-GPOS-00227
cis6.2.9
pcidss48.2.1
stigrefSV-258059r926164_rule
Description
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
Rationale
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
OVAL test results details

test that there are no accounts with UID 0 except root in the /etc/passwd file  oval:ssg-test_accounts_no_uid_except_root:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/passwd^(?!root:)[^:]*:[^:]*:01
Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts medium

Ensure that System Accounts Do Not Run a Shell Upon Login

Rule IDxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-no_shelllogin_for_systemaccounts:def:1
Time2024-08-21T12:38:42+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
cobit5DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03
disaCCI-000366
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
ism1491
iso27001-2013A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nistAC-6, CM-6(a), CM-6(b), CM-6.1(iv)
nist-csfDE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6
os-srgSRG-OS-000480-GPOS-00227
cis5.6.2
pcidss48.2.2
stigrefSV-258046r926125_rule
Description
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
                  
Rationale
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
Warnings
warning  Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
awk: cmd. line:2: warning: escape sequence `\/' treated as plain `/'
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
usermod: no changes
OVAL test results details

SYS_UID_MIN not defined in /etc/login.defs  oval:ssg-test_sys_uid_min_not_defined:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_WARN_AGE 14 # Currently PASS_MIN_LEN is not supported # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

SYS_UID_MAX not defined in /etc/login.defs  oval:ssg-test_sys_uid_max_not_defined:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_WARN_AGE 14 # Currently PASS_MIN_LEN is not supported # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

<0, UID_MIN - 1> system UIDs having shell set  oval:ssg-test_shell_defined_default_uid_range:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/passwddjagaazure:x:1000:1000:Cloud User:/home/djagaazure:/bin/bash
false/etc/passwdomi:x:989:988::/home/omi:/bin/false
false/etc/passwdomsagent:x:988:989:OMS agent:/var/opt/microsoft/omsagent/run:/bin/bash
false/etc/passwdnxautomation:x:987:986:nxOMSAutomation:/home/nxautomation/run:/bin/bash

SYS_UID_MIN not defined in /etc/login.defs  oval:ssg-test_sys_uid_min_not_defined:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_WARN_AGE 14 # Currently PASS_MIN_LEN is not supported # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

SYS_UID_MAX not defined in /etc/login.defs  oval:ssg-test_sys_uid_max_not_defined:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_WARN_AGE 14 # Currently PASS_MIN_LEN is not supported # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

<0, SYS_UID_MIN> system UIDs having shell set  oval:ssg-test_shell_defined_reserved_uid_range:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/passwddjagaazure:x:1000:1000:Cloud User:/home/djagaazure:/bin/bash
true/etc/passwdomi:x:989:988::/home/omi:/bin/false
true/etc/passwdomsagent:x:988:989:OMS agent:/var/opt/microsoft/omsagent/run:/bin/bash
true/etc/passwdnxautomation:x:987:986:nxOMSAutomation:/home/nxautomation/run:/bin/bash

<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set  oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/passwddjagaazure:x:1000:1000:Cloud User:/home/djagaazure:/bin/bash
false/etc/passwdomi:x:989:988::/home/omi:/bin/false
false/etc/passwdomsagent:x:988:989:OMS agent:/var/opt/microsoft/omsagent/run:/bin/bash
false/etc/passwdnxautomation:x:987:986:nxOMSAutomation:/home/nxautomation/run:/bin/bash
Enforce usage of pam_wheel for su authenticationxccdf_org.ssgproject.content_rule_use_pam_wheel_for_su medium

Enforce usage of pam_wheel for su authentication

Rule IDxccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-use_pam_wheel_for_su:def:1
Time2024-08-21T12:34:29+00:00
Severitymedium
References:
osppFMT_SMF_EXT.1.1
os-srgSRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123
stigrefSV-258088r926251_rule
Description
To ensure that only users who are members of the wheel group can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su:
auth required pam_wheel.so use_uid
Rationale
The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.
Warnings
warning  Members of "wheel" or GID 0 groups are checked by default if the group option is not set for pam_wheel.so module. Therefore, members of these groups should be manually checked or a different group should be informed according to the site policy.
OVAL test results details

check existence of use_uid option for pam_wheel.so in /etc/pam.d/su  oval:ssg-test_use_pam_wheel_for_su:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/pam.d/suauth required pam_wheel.so use_uid
Only Authorized Local User Accounts Exist on Operating Systemxccdf_org.ssgproject.content_rule_accounts_authorized_local_users medium

Only Authorized Local User Accounts Exist on Operating System

Rule IDxccdf_org.ssgproject.content_rule_accounts_authorized_local_users
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_authorized_local_users:def:1
Time2024-08-21T12:38:41+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258058r926161_rule
Description
Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed software groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
                
Rationale
Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
Warnings
warning  Automatic remediation of this control is not available due to the unique requirements of each system.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

query /etc/passwd  oval:ssg-test_accounts_authorized_local_users:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/passwdadm:
true/etc/passwddbus:
true/etc/passwdpolkitd:
true/etc/passwdsshd:
true/etc/passwdsssd:
true/etc/passwdtss:
true/etc/passwdchrony:
true/etc/passwdsystemd-oom:
false/etc/passwddjagaazure:
false/etc/passwdmdatp:
false/etc/passwdomi:
false/etc/passwdomsagent:
false/etc/passwdnxautomation:
true/etc/passwdrtkit:
true/etc/passwdpipewire:
true/etc/passwdgeoclue:
true/etc/passwdflatpak:
true/etc/passwddaemon:
true/etc/passwdbin:
true/etc/passwdlp:
true/etc/passwdsync:
true/etc/passwdshutdown:
true/etc/passwdhalt:
true/etc/passwdmail:
true/etc/passwdoperator:
true/etc/passwdgames:
true/etc/passwdftp:
true/etc/passwdnobody:
true/etc/passwdsystemd-coredump:
Ensure All Groups on the System Have Unique Group IDxccdf_org.ssgproject.content_rule_group_unique_id medium

Ensure All Groups on the System Have Unique Group ID

Rule IDxccdf_org.ssgproject.content_rule_group_unique_id
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-group_unique_id:def:1
Time2024-08-21T12:34:29+00:00
Severitymedium
References:
disaCCI-000764
os-srgSRG-OS-000104-GPOS-00051
cis6.2.5
pcidss48.2.1
stigrefSV-258061r926170_rule
Description
Change the group name or delete groups, so each has a unique id.
Rationale
To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
Warnings
warning  Automatic remediation of this control is not available due to the unique requirements of each system.
OVAL test results details

There should not exist duplicate group ids in /etc/passwd  oval:ssg-test_etc_group_no_duplicate_group_ids:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-variable_count_of_all_group_ids:var:150
Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc medium

Ensure the Default Bash Umask is Set Correctly

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_bashrc:def:1
Time2024-08-21T12:38:42+00:00
Severitymedium
References:
cis-csc18
cobit5APO13.01, BAI03.01, BAI03.02, BAI03.03
disaCCI-000366
isa-62443-20094.3.4.3.3
iso27001-2013A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-6(1), CM-6(a)
nist-csfPR.IP-2
os-srgSRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
anssiR36
cis5.6.5
stigrefSV-258072r926203_rule
Description
To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:
umask 077
                  
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
not evaluatedoval:ssg-var_accounts_user_umask_umask_as_number:var:163

Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement  oval:ssg-tst_accounts_umask_etc_bashrc:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-var_etc_bashrc_umask_as_number:var:118
Ensure the Default C Shell Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc medium

Ensure the Default C Shell Umask is Set Correctly

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_csh_cshrc:def:1
Time2024-08-21T12:38:42+00:00
Severitymedium
References:
cis-csc18
cobit5APO13.01, BAI03.01, BAI03.02, BAI03.03
disaCCI-000366
isa-62443-20094.3.4.3.3
iso27001-2013A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-6(1), CM-6(a)
nist-csfPR.IP-2
os-srgSRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
stigrefSV-258073r926206_rule
Description
To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 077
                  
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
not evaluatedoval:ssg-var_accounts_user_umask_umask_as_number:var:163

Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement  oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-var_etc_csh_cshrc_umask_as_number:var:118
Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile medium

Ensure the Default Umask is Set Correctly in /etc/profile

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_profile:def:1
Time2024-08-21T12:38:42+00:00
Severitymedium
References:
cis-csc18
cobit5APO13.01, BAI03.01, BAI03.02, BAI03.03
disaCCI-000366
isa-62443-20094.3.4.3.3
iso27001-2013A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-6(1), CM-6(a)
nist-csfPR.IP-2
os-srgSRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
anssiR36
cis5.6.5
stigrefSV-258075r926212_rule
Description
To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:
umask 077
                  
Note that /etc/profile also reads scrips within /etc/profile.d directory. These scripts are also valid files to set umask value. Therefore, they should also be considered during the check and properly remediated, if necessary.
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
not evaluatedoval:ssg-var_accounts_user_umask_umask_as_number:var:163

umask value(s) from profile configuration files match the requirement  oval:ssg-tst_accounts_umask_etc_profile:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_accounts_umask_etc_profile:obj:1 of type variable_object
Var ref
oval:ssg-var_etc_profile_umask_as_number:var:1
Ensure the Default Umask is Set Correctly For Interactive Usersxccdf_org.ssgproject.content_rule_accounts_umask_interactive_users medium

Ensure the Default Umask is Set Correctly For Interactive Users

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_interactive_users:def:1
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
disaCCI-000366, CCI-001814
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00228
stigrefSV-258044r926119_rule
Description
Remove the UMASK environment variable from all interactive users initialization files.
Rationale
The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
OVAL test results details

Umask must not be defined in user initialization files  oval:ssg-test_accounts_umask_interactive_users:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_umask_interactive_users:obj:1 of type textfilecontent54_object
PathFilenamePatternInstanceFilter
^(?:djagaazure):(?:[^:]*:){4}([^:]+):[^:]*$
/home/djagaazure
^\..*^[\s]*umask\s*1oval:ssg-state_accounts_umask_interactive_users_bash_history:ste:1
Ensure the Logon Failure Delay is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay medium

Ensure the Logon Failure Delay is Set Correctly in login.defs

Rule IDxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_logon_fail_delay:def:1
Time2024-08-21T12:38:42+00:00
Severitymedium
References:
cis-csc11, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05
disaCCI-000366
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
nistAC-7(b), CM-6(a)
nist-csfPR.IP-1
os-srgSRG-OS-000480-GPOS-00226
stigrefSV-258071r926200_rule
Description
To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 4
                
Rationale
Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check FAIL_DELAY in /etc/login.defs  oval:ssg-test_accounts_logon_fail_delay:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_logon_fail_delay:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*)1
Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout medium

Set Interactive Session Timeout

Rule IDxccdf_org.ssgproject.content_rule_accounts_tmout
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_tmout:def:1
Time2024-08-21T12:38:42+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.11
disaCCI-000057, CCI-001133, CCI-002361
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nerc-cipCIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistAC-12, SC-10, AC-2(5), CM-6(a)
nist-csfPR.AC-7
osppFMT_MOF_EXT.1
os-srgSRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010
anssiR32
cis5.6.3
pcidss48.6.1
stigrefSV-258068r926191_rule
Description
Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The TMOUT setting in a file loaded by /etc/profile, e.g. /etc/profile.d/tmout.sh should read as follows:
typeset -xr TMOUT=600
                
or
declare -xr TMOUT=600
                
Using the typeset keyword is preferred for wider compatibility with ksh and other shells.
Rationale
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

TMOUT in /etc/profile  oval:ssg-test_etc_profile_tmout:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profile_tmout:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/profile^[\s]*(?:typeset|declare)[\s]+-xr[\s]+TMOUT=([\w$]+).*$1

TMOUT in /etc/profile.d/*.sh  oval:ssg-test_etc_profiled_tmout:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profiled_tmout:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/profile.d^.*\.sh$^[\s]*(?:typeset|declare)[\s]+-xr[\s]+TMOUT=([\w$]+).*$1

Check that at least one TMOUT is defined  oval:ssg-test_accounts_tmout_defined:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_tmout_defined:obj:1 of type variable_object
Var ref
oval:ssg-variable_count_of_tmout_instances:var:1
User Initialization Files Must Not Run World-Writable Programsxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs medium

User Initialization Files Must Not Run World-Writable Programs

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_user_dot_no_world_writable_programs:def:1
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
cis6.2.16
stigrefSV-258062r926173_rule
Description
Set the mode on files being executed by the user initialization files with the following command:
$ sudo chmod o-w FILE
                
Rationale
If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.
OVAL test results details

Init files do not execute world-writable programs  oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
^\.[\w\- ]+$
/home/djagaazure
Referenced variable has no values (oval:ssg-var_world_writable_programs_regex:var:1).
1
Ensure that Users Path Contains Only Local Directoriesxccdf_org.ssgproject.content_rule_accounts_user_home_paths_only medium

Ensure that Users Path Contains Only Local Directories

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_home_paths_only
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258050r926137_rule
Description
Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory.
Rationale
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).
Evaluation messages
info 
No candidate or applicable check found.
All Interactive Users Must Have A Home Directory Definedxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined medium

All Interactive Users Must Have A Home Directory Defined

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_user_interactive_home_directory_defined:def:1
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258051r926140_rule
Description
Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is properly defined in a folder which has at least one parent folder, like "user" in "/home/user" or "/remote/users/user". Therefore, this rule will report a finding for home directories like /users, /tmp or /.
Rationale
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
OVAL test results details

All Interactive Users Have A Home Directory Defined  oval:ssg-test_accounts_user_interactive_home_directory_defined:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUsernamePasswordUser idGroup idGcosHome dirLogin shellLast login
truedjagaazurex10001000Cloud User/home/djagaazure/bin/bash1724241703
All Interactive Users Home Directories Must Existxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists medium

All Interactive Users Home Directories Must Exist

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_user_interactive_home_directory_exists:def:1
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
cis6.2.10
stigrefSV-258052r926143_rule
Description
Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
                
Rationale
If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.
OVAL test results details

Check the existence of interactive users.  oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:11

Check the existence of interactive users.  oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
not evaluatedoval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:11
All Interactive User Home Directories Must Be Group-Owned By The Primary Groupxccdf_org.ssgproject.content_rule_file_groupownership_home_directories medium

All Interactive User Home Directories Must Be Group-Owned By The Primary Group

Rule IDxccdf_org.ssgproject.content_rule_file_groupownership_home_directories
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupownership_home_directories:def:1
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
cis6.2.11
stigrefSV-258053r926146_rule
Description
Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
                
This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.
Rationale
If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.
Warnings
warning  Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of their respective home directories.
OVAL test results details

All home directories are group-owned by a local interactive group  oval:ssg-test_file_groupownership_home_directories:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
true/home/djagaazure/directory100010004096rwx------ 
Ensure All User Initialization Files Have Mode 0740 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permission_user_init_files_root medium

Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permission_user_init_files_root
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permission_user_init_files_root:def:1
Time2024-08-21T12:38:42+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257889r925654_rule
Description
Set the mode of the user initialization files, including the root user, to 0740 with the following commands:
$ sudo chmod 0740 /root/.INIT_FILE
$ sudo chmod 0740 /home/USER/.INIT_FILE
                
Rationale
Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Init files have mode 0740 or less permissive  oval:ssg-test_file_permission_user_init_files_root:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
true/root/.bash_historyregular001948rw------- 
true/root/.viminforegular00532rw------- 
false/root/.cshrcregular00100rw-r--r-- 
false/root/.tcshrcregular00129rw-r--r-- 
true/home/djagaazure/.lesshstregular1000100020rw------- 
true/home/djagaazure/.viminforegular100010009436rw------- 
false/root/.bash_logoutregular0018rw-r--r-- 
false/root/.bash_profileregular00141rw-r--r-- 
false/root/.bashrcregular00429rw-r--r-- 
false/home/djagaazure/.bash_logoutregular1000100018rw-r--r-- 
false/home/djagaazure/.bash_profileregular10001000141rw-r--r-- 
false/home/djagaazure/.bashrcregular10001000492rw-r--r-- 
true/home/djagaazure/.bash_historyregular100010009881rw------- 
false/home/djagaazure/.gitconfigregular1000100054rw-r--r-- 
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories medium

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_home_directories
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_home_directories:def:1
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
cis6.2.12
stigrefSV-257890r925657_rule
Description
Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command:
$ sudo chmod 0750 /home/USER
                
Rationale
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
OVAL test results details

All home directories have proper permissions  oval:ssg-test_file_permissions_home_directories:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
true/home/djagaazure/directory100010004096rwx------ 
Enable authselectxccdf_org.ssgproject.content_rule_enable_authselect medium

Enable authselect

Rule IDxccdf_org.ssgproject.content_rule_enable_authselect
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-enable_authselect:def:1
Time2024-08-21T12:34:27+00:00
Severitymedium
References:
disaCCI-000213
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
nistAC-3
osppFIA_UAU.1, FIA_AFL.1
os-srgSRG-OS-000480-GPOS-00227
anssiR31
ccnenable_authselect
cisenable_authselect
pcidss48.3.4
stigidneeded_rules
Description
Configure user authentication setup to use the authselect tool. If authselect profile is selected, the rule will enable the sssd profile.
Rationale
Authselect is a successor to authconfig. It is a tool to select system authentication and identity sources from a list of supported profiles instead of letting the administrator manually build the PAM stack. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases.
Warnings
warning  If the sudo authselect select command returns an error informing that the chosen profile cannot be selected, it is probably because PAM files have already been modified by the administrator. If this is the case, in order to not overwrite the desired changes made by the administrator, the current PAM settings should be investigated before forcing the selection of the chosen authselect profile.
OVAL test results details

The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFilepathCanonical path
true/etc/pam.d/fingerprint-auth/etc/authselect/fingerprint-auth

The 'password-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_password_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFilepathCanonical path
true/etc/pam.d/password-auth/etc/authselect/password-auth

The 'postlogin' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFilepathCanonical path
true/etc/pam.d/postlogin/etc/authselect/postlogin

The 'smartcard-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFilepathCanonical path
true/etc/pam.d/smartcard-auth/etc/authselect/smartcard-auth

The 'system-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_system_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFilepathCanonical path
true/etc/pam.d/system-auth/etc/authselect/system-auth
Verify /boot/grub2/grub.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg medium

Verify /boot/grub2/grub.cfg Group Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.4.5
disaCCI-000225
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-7.1
os-srgSRG-OS-000480-GPOS-00227
anssiR29
cis1.4.2
pcidss42.2.6
stigrefSV-257790r925357_rule
Description
The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
Rationale
The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
Verify /boot/grub2/grub.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_owner_grub2_cfg medium

Verify /boot/grub2/grub.cfg User Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.4.5
disaCCI-000225
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-7.1
os-srgSRG-OS-000480-GPOS-00227
anssiR29
cis1.4.2
pcidss42.2.6
stigrefSV-257791r925360_rule
Description
The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg 
Rationale
Only root should be able to modify important boot parameters.
Set the Boot Loader Admin Username to a Non-Default Valuexccdf_org.ssgproject.content_rule_grub2_admin_username high

Set the Boot Loader Admin Username to a Non-Default Value

Rule IDxccdf_org.ssgproject.content_rule_grub2_admin_username
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:41+00:00
Severityhigh
References:
cis-csc1, 11, 12, 14, 15, 16, 18, 3, 5
cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
cui3.4.5
disaCCI-000213
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
iso27001-2013A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nistCM-6(a)
nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
osppFIA_UAU.1
os-srgSRG-OS-000080-GPOS-00048
stigrefSV-257789r943055_rule
Description
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

Do not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root').
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL
Rationale
Having a non-default grub superuser username makes password-guessing attacks less effective.
Warnings
warning  To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password high

Set Boot Loader Password in grub2

Rule IDxccdf_org.ssgproject.content_rule_grub2_password
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:41+00:00
Severityhigh
References:
cis-csc1, 11, 12, 14, 15, 16, 18, 3, 5
cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
cui3.4.5
disaCCI-000213
hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
iso27001-2013A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nistCM-6(a)
nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
osppFIA_UAU.1
os-srgSRG-OS-000080-GPOS-00048
anssiR5
cis1.4.1
stigrefSV-257787r925348_rule
Description
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.

Rationale
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings
warning  To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_grub2_pti_argument low

Enable Kernel Page-Table Isolation (KPTI)

Rule IDxccdf_org.ssgproject.content_rule_grub2_pti_argument
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_pti_argument:def:1
Time2024-08-21T12:38:42+00:00
Severitylow
References:
disaCCI-000381
nistSI-16
os-srgSRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049
anssiR8
stigrefSV-257795r925372_rule
Description
To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system. To ensure that pti=on is added as a kernel command line argument to newly installed kernels, add pti=on to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... pti=on ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
Rationale
Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check kernel command line parameters for pti=on for all boot entries.  oval:ssg-test_grub2_pti_entries:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-5.14.0-362.8.1.el9_3.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-5.14.0-427.28.1.el9_4.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root

check for pti=on in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_pti_argument:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/default/grubGRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root"

check for pti=on in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_pti_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_pti_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Disable vsyscallsxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument medium

Disable vsyscalls

Rule IDxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_vsyscall_argument:def:1
Time2024-08-21T12:38:43+00:00
Severitymedium
References:
disaCCI-001084
nistCM-7(a)
osppFPT_ASLR_EXT.1
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
stigrefSV-257792r925363_rule
Description
To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system. To ensure that vsyscall=none is added as a kernel command line argument to newly installed kernels, add vsyscall=none to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
Rationale
Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check kernel command line parameters for vsyscall=none for all boot entries.  oval:ssg-test_grub2_vsyscall_entries:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-5.14.0-362.8.1.el9_3.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-5.14.0-427.28.1.el9_4.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root

check for vsyscall=none in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_vsyscall_argument:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/default/grubGRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root"

check for vsyscall=none in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_vsyscall_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_vsyscall_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging medium

Ensure cron Is Logging To Rsyslog

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_cron_logging
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_cron_logging:def:1
Time2024-08-21T12:34:43+00:00
Severitymedium
References:
cis-csc1, 14, 15, 16, 3, 5, 6
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
disaCCI-000366
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1
ism0988, 1405
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.15.2.1, A.15.2.2
nistCM-6(a)
nist-csfID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258150r926437_rule
Description
Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf:
cron.*                                                  /var/log/cron
Rationale
Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.
OVAL test results details

cron is configured in /etc/rsyslog.conf  oval:ssg-test_cron_logging_rsyslog:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/rsyslog.confcron.* /var/log/cron # Everybody gets emergency messages

cron is configured in /etc/rsyslog.d  oval:ssg-test_cron_logging_rsyslog_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d^.*$^[\s]*cron\.\*[\s]+/var/log/cron\s*(?:#.*)?$1
Ensure Rsyslog Authenticates Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode medium

Ensure Rsyslog Authenticates Off-Loaded Audit Records

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1
Time2024-08-21T12:38:46+00:00
Severitymedium
References:
disaCCI-001851
nistAU-4(1)
os-srgSRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
stigrefSV-258146r926425_rule
Description
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs the remote system must be authenticated.
Rationale
The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^\$ActionSendStreamDriverAuthMode x509/name$1

Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d^.*conf$^\$ActionSendStreamDriverAuthMode x509/name$1
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode medium

Ensure Rsyslog Encrypts Off-Loaded Audit Records

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1
Time2024-08-21T12:38:46+00:00
Severitymedium
References:
disaCCI-001851
nistAU-4(1)
os-srgSRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
stigrefSV-258147r926428_rule
Description
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs off a encrpytion system must be used.
Rationale
The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^\$ActionSendStreamDriverMode 1$1

Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d^.*conf$^\$ActionSendStreamDriverMode 1$1
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver medium

Ensure Rsyslog Encrypts Off-Loaded Audit Records

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1
Time2024-08-21T12:38:46+00:00
Severitymedium
References:
disaCCI-001851
nistAU-4(1)
os-srgSRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
stigrefSV-258148r926431_rule
Description
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs off an encryption system must be used.
Rationale
The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^\$DefaultNetstreamDriver gtls$1

Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d^.*conf$^\$DefaultNetstreamDriver gtls$1
Ensure remote access methods are monitored in Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring medium

Ensure remote access methods are monitored in Rsyslog

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_remote_access_monitoring:def:1
Time2024-08-21T12:38:46+00:00
Severitymedium
References:
disaCCI-000067
nistAC-17(1)
os-srgSRG-OS-000032-GPOS-00013
stigrefSV-258144r926419_rule
Description
Logging of remote access methods must be implemented to help identify cyber attacks and ensure ongoing compliance with remote access policies are being audited and upheld. An examples of a remote access method is the use of the Remote Desktop Protocol (RDP) from an external, non-organization controlled network. The /etc/rsyslog.conf or /etc/rsyslog.d/*.conf file should contain a match for the following selectors: auth.*, authpriv.*, and daemon.*. If not, use the following as an example configuration:
auth.*;authpriv.*;daemon.*                              /var/log/secure
Rationale
Logging remote access methods can be used to trace the decrease the risks associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

remote method auth monitoring configured in rsyslog'  oval:ssg-test_remote_method_monitoring_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_remote_method_monitoring_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/rsyslog\.(conf|d/.+\.conf)$^[^#]*auth\.\*.*$1

remote method authpriv monitoring configured in rsyslog'  oval:ssg-test_remote_method_monitoring_authpriv:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/rsyslog.confauthpriv.* /var/log/secure

remote method daemon monitoring configured in rsyslog'  oval:ssg-test_remote_method_monitoring_daemon:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_remote_method_monitoring_daemon:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/rsyslog\.(conf|d/.+\.conf)$^[^#]*daemon\.\*.*$1
Enable systemd-journald Servicexccdf_org.ssgproject.content_rule_service_systemd-journald_enabled medium

Enable systemd-journald Service

Rule IDxccdf_org.ssgproject.content_rule_service_systemd-journald_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_systemd-journald_enabled:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
disaCCI-001665
nistSC-24
os-srgSRG-OS-000269-GPOS-00103
cis4.2.2.2
stigrefSV-257783r925336_rule
Description
The systemd-journald service is an essential component of systemd. The systemd-journald service can be enabled with the following command:
$ sudo systemctl enable systemd-journald.service
Rationale
In the event of a system failure, Red Hat Enterprise Linux 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.
OVAL test results details

package systemd is installed  oval:ssg-test_service_systemd-journald_package_systemd_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedsystemdx86_64(none)32.el9_4.62520:252-32.el9_4.60systemd-0:252-32.el9_4.6.x86_64

Test that the systemd-journald service is running  oval:ssg-test_service_running_systemd-journald:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
truesystemd-journald.socketActiveStateactive
truesystemd-journald.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_systemd-journald:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
truemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_systemd-journald_socket:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
truemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten medium

Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_nolisten
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_nolisten:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
cobit5APO01.06, APO11.04, APO13.01, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, MEA02.01
disaCCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814
isa-62443-20094.2.3.4, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.8, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
ism0988, 1405
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfDE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
cis4.2.1.7
stigrefSV-258143r926416_rule
Description
The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure any of the following lines are not found in rsyslog configuration files. If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
                
If using RainerScript syntax:
module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")
Rationale
Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.
OVAL test results details

rsyslog configuration files don't contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp  oval:ssg-test_rsyslog_nolisten_legacy:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_rsyslog_nolisten_legacy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp))1

rsyslog configuration files don't use imtcp or imudp modules  oval:ssg-test_rsyslog_nolisten_rainerscript:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_rsyslog_nolisten_rainerscript:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$^\s*(?:module|input)\((?:load|type)="(imtcp|imudp)".*$1
Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost medium

Ensure Logs Sent To Remote Host

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_remote_loghost:def:1
Time2024-08-21T12:38:46+00:00
Severitymedium
References:
cis-csc1, 13, 14, 15, 16, 2, 3, 5, 6
cobit5APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01
disaCCI-000366, CCI-001348, CCI-000136, CCI-001851
hipaa164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii)
isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2
ism0988, 1405
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1
nerc-cipCIP-003-8 R5.2, CIP-004-6 R3.3
nistCM-6(a), AU-4(1), AU-9(2)
nist-csfPR.DS-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133
anssiR71
stigrefSV-258149r926434_rule
Description
To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting logcollector appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:
*.* @logcollector
                

To use TCP for log message delivery:
*.* @@logcollector
                

To use RELP for log message delivery:
*.* :omrelp:logcollector
                

There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility.
Rationale
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
Warnings
warning  It is important to configure queues in case the client is sending log messages to a remote server. If queues are not configured, the system will stop functioning when the connection to the remote server is not available. Please consult Rsyslog documentation for more information about configuration of queues. The example configuration which should go into /etc/rsyslog.conf can look like the following lines:
$ActionQueueType LinkedList
$ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Ensures system configured to export logs to remote host  oval:ssg-test_remote_rsyslog_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^\*\.\*[\s]+(?:@|\:omrelp\:)1

Ensures system configured to export logs to remote host  oval:ssg-test_remote_rsyslog_d:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d^.+\.conf$^\*\.\*[\s]+(?:@|\:omrelp\:)1
Ensure rsyslog-gnutls is installedxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed medium

Ensure rsyslog-gnutls is installed

Rule IDxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rsyslog-gnutls_installed:def:1
Time2024-08-21T12:38:46+00:00
Severitymedium
References:
disaCCI-000366
osppFTP_ITC_EXT.1.1
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
anssiR71
stigrefSV-258141r926410_rule
Description
TLS protocol support for rsyslog is installed. The rsyslog-gnutls package can be installed with the following command:
$ sudo dnf install rsyslog-gnutls
Rationale
The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:37 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package              Architecture Version                Repository       Size
================================================================================
Installing:
 rsyslog-gnutls       x86_64       8.2310.0-4.el9         appstream        30 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 30 k
Installed size: 54 k
Downloading Packages:
rsyslog-gnutls-8.2310.0-4.el9.x86_64.rpm         39 kB/s |  30 kB     00:00    
--------------------------------------------------------------------------------
Total                                            32 kB/s |  30 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : rsyslog-gnutls-8.2310.0-4.el9.x86_64                   1/1 
  Running scriptlet: rsyslog-gnutls-8.2310.0-4.el9.x86_64                   1/1 
  Verifying        : rsyslog-gnutls-8.2310.0-4.el9.x86_64                   1/1 
Installed products updated.

Installed:
  rsyslog-gnutls-8.2310.0-4.el9.x86_64                                          

Complete!
OVAL test results details

package rsyslog-gnutls is installed  oval:ssg-test_package_rsyslog-gnutls_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsyslog-gnutls_installed:obj:1 of type rpminfo_object
Name
rsyslog-gnutls
Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed medium

Ensure rsyslog is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rsyslog_installed:def:1
Time2024-08-21T12:34:41+00:00
Severitymedium
References:
cis-csc1, 14, 15, 16, 3, 5, 6
cobit5APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
disaCCI-001311, CCI-001312, CCI-000366
hipaa164.312(a)(2)(ii)
isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
nistCM-6(a)
nist-csfPR.PT-1
osppFTP_ITC_EXT.1.1
os-srgSRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227
cis4.2.1.1
stigrefSV-258140r926407_rule
Description
Rsyslog is installed by default. The rsyslog package can be installed with the following command:
 $ sudo dnf install rsyslog
Rationale
The rsyslog package provides the rsyslog daemon, which provides system logging services.
OVAL test results details

package rsyslog is installed  oval:ssg-test_package_rsyslog_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedrsyslogx86_64(none)4.el98.2310.00:8.2310.0-4.el90rsyslog-0:8.2310.0-4.el9.x86_64
Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled medium

Enable rsyslog Service

Rule IDxccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_rsyslog_enabled:def:1
Time2024-08-21T12:34:43+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
disaCCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366
hipaa164.312(a)(2)(ii)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1
nistCM-6(a), AU-4(1)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1
os-srgSRG-OS-000480-GPOS-00227
cis4.2.1.2
stigrefSV-258142r926413_rule
Description
The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 9. The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service
Rationale
The rsyslog service must be running in order to provide logging services, which are essential to system administration.
OVAL test results details

package rsyslog is installed  oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedrsyslogx86_64(none)4.el98.2310.00:8.2310.0-4.el90rsyslog-0:8.2310.0-4.el9.x86_64

Test that the rsyslog service is running  oval:ssg-test_service_running_rsyslog:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
truersyslog.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_rsyslog:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
truemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount
Install firewalld Packagexccdf_org.ssgproject.content_rule_package_firewalld_installed medium

Install firewalld Package

Rule IDxccdf_org.ssgproject.content_rule_package_firewalld_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_firewalld_installed:def:1
Time2024-08-21T12:38:51+00:00
Severitymedium
References:
disaCCI-002314
nistCM-6(a)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232
cis3.4.1.2
pcidss41.2.1
stigrefSV-257935r928954_rule
Description
The firewalld package can be installed with the following command:
$ sudo dnf install firewalld
Rationale
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Red Hat Enterprise Linux 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:40 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package                   Arch        Version             Repository      Size
================================================================================
Installing:
 firewalld                 noarch      1.3.4-1.el9         baseos         450 k
Installing dependencies:
 firewalld-filesystem      noarch      1.3.4-1.el9         baseos         8.3 k
 ipset                     x86_64      7.11-8.el9          baseos          42 k
 ipset-libs                x86_64      7.11-8.el9          baseos          69 k
 python3-firewall          noarch      1.3.4-1.el9         baseos         348 k
 python3-nftables          x86_64      1:1.0.9-1.el9       baseos          22 k
Installing weak dependencies:
 libcap-ng-python3         x86_64      0.8.2-7.el9         appstream       29 k

Transaction Summary
================================================================================
Install  7 Packages

Total download size: 968 k
Installed size: 4.4 M
Downloading Packages:
(1/7): firewalld-filesystem-1.3.4-1.el9.noarch.  33 kB/s | 8.3 kB     00:00    
(2/7): ipset-libs-7.11-8.el9.x86_64.rpm         238 kB/s |  69 kB     00:00    
(3/7): python3-firewall-1.3.4-1.el9.noarch.rpm  540 kB/s | 348 kB     00:00    
(4/7): ipset-7.11-8.el9.x86_64.rpm              377 kB/s |  42 kB     00:00    
(5/7): firewalld-1.3.4-1.el9.noarch.rpm         614 kB/s | 450 kB     00:00    
(6/7): python3-nftables-1.0.9-1.el9.x86_64.rpm  224 kB/s |  22 kB     00:00    
(7/7): libcap-ng-python3-0.8.2-7.el9.x86_64.rpm 115 kB/s |  29 kB     00:00    
--------------------------------------------------------------------------------
Total                                           742 kB/s | 968 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Running scriptlet: firewalld-1.3.4-1.el9.noarch                           1/1 
  Preparing        :                                                        1/1 
  Installing       : libcap-ng-python3-0.8.2-7.el9.x86_64                   1/7 
  Installing       : python3-nftables-1:1.0.9-1.el9.x86_64                  2/7 
  Installing       : python3-firewall-1.3.4-1.el9.noarch                    3/7 
  Installing       : ipset-libs-7.11-8.el9.x86_64                           4/7 
  Installing       : ipset-7.11-8.el9.x86_64                                5/7 
  Installing       : firewalld-filesystem-1.3.4-1.el9.noarch                6/7 
  Installing       : firewalld-1.3.4-1.el9.noarch                           7/7 
  Running scriptlet: firewalld-1.3.4-1.el9.noarch                           7/7 
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.

  Verifying        : python3-firewall-1.3.4-1.el9.noarch                    1/7 
  Verifying        : firewalld-filesystem-1.3.4-1.el9.noarch                2/7 
  Verifying        : firewalld-1.3.4-1.el9.noarch                           3/7 
  Verifying        : ipset-libs-7.11-8.el9.x86_64                           4/7 
  Verifying        : ipset-7.11-8.el9.x86_64                                5/7 
  Verifying        : python3-nftables-1:1.0.9-1.el9.x86_64                  6/7 
  Verifying        : libcap-ng-python3-0.8.2-7.el9.x86_64                   7/7 
Installed products updated.

Installed:
  firewalld-1.3.4-1.el9.noarch          firewalld-filesystem-1.3.4-1.el9.noarch
  ipset-7.11-8.el9.x86_64               ipset-libs-7.11-8.el9.x86_64           
  libcap-ng-python3-0.8.2-7.el9.x86_64  python3-firewall-1.3.4-1.el9.noarch    
  python3-nftables-1:1.0.9-1.el9.x86_64

Complete!
OVAL test results details

package firewalld is installed  oval:ssg-test_package_firewalld_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_firewalld_installed:obj:1 of type rpminfo_object
Name
firewalld
Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled medium

Verify firewalld Enabled

Rule IDxccdf_org.ssgproject.content_rule_service_firewalld_enabled
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc11, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05
cui3.1.3, 3.4.7
disaCCI-000366, CCI-000382, CCI-002314
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
nerc-cipCIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3
nistAC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a)
nist-csfPR.IP-1
osppFMT_SMF_EXT.1
os-srgSRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232
cis3.4.1.2
pcidss41.2.1
stigrefSV-257936r925795_rule
Description
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
Rationale
Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.
Configure the Firewalld Portsxccdf_org.ssgproject.content_rule_configure_firewalld_ports medium

Configure the Firewalld Ports

Rule IDxccdf_org.ssgproject.content_rule_configure_firewalld_ports
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc11, 12, 14, 15, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disaCCI-000382, CCI-002314
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
ism1416
iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nistAC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a)
nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115
pcidss41.3.1
stigrefSV-257938r925801_rule
Description
Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:
firewall-cmd --permanent --add-port=port_number/tcp
                  
To configure firewalld to allow access for pre-defined services, run the following command:
firewall-cmd --permanent --add-service=service_name
                  
Rationale
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business.
Evaluation messages
info 
No candidate or applicable check found.
Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systemsxccdf_org.ssgproject.content_rule_configured_firewalld_default_deny medium

Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems

Rule IDxccdf_org.ssgproject.content_rule_configured_firewalld_default_deny
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
disaCCI-002314
nistAC-17 (1)
os-srgSRG-OS-000297-GPOS-00115
stigrefSV-257937r925798_rule
Description
Red Hat Enterprise Linux 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.
Rationale
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of data.
Evaluation messages
info 
No candidate or applicable check found.
Configure Firewalld to Use the Nftables Backendxccdf_org.ssgproject.content_rule_firewalld-backend medium

Configure Firewalld to Use the Nftables Backend

Rule IDxccdf_org.ssgproject.content_rule_firewalld-backend
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
disaCCI-002385
nistSC-5
os-srgSRG-OS-000420-GPOS-00186
stigrefSV-257939r925804_rule
Description
Firewalld can be configured with many backends, such as nftables.
Rationale
Nftables is modern kernel module for controling network connections coming into a system. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.
Install libreswan Packagexccdf_org.ssgproject.content_rule_package_libreswan_installed medium

Install libreswan Package

Rule IDxccdf_org.ssgproject.content_rule_package_libreswan_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_libreswan_installed:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc12, 15, 3, 5, 8
cobit5APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04
disaCCI-001130, CCI-001131
isa-62443-20094.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8
isa-62443-2013SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.11.2.4, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.15.1.1, A.15.2.1, A.6.2.1, A.6.2.2
nistCM-6(a)
nist-csfPR.AC-3, PR.MA-2, PR.PT-4
pcidssReq-4.1
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
stigrefSV-257954r925849_rule
Description
The libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command:
$ sudo dnf install libreswan
Rationale
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:45 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package          Architecture  Version                  Repository        Size
================================================================================
Installing:
 libreswan        x86_64        4.12-2.el9_4.1           appstream        1.3 M
Installing dependencies:
 ldns             x86_64        1.7.1-11.el9             appstream        160 k

Transaction Summary
================================================================================
Install  2 Packages

Total download size: 1.5 M
Installed size: 5.6 M
Downloading Packages:
(1/2): ldns-1.7.1-11.el9.x86_64.rpm             217 kB/s | 160 kB     00:00    
(2/2): libreswan-4.12-2.el9_4.1.x86_64.rpm      820 kB/s | 1.3 MB     00:01    
--------------------------------------------------------------------------------
Total                                           826 kB/s | 1.5 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : ldns-1.7.1-11.el9.x86_64                               1/2 
  Installing       : libreswan-4.12-2.el9_4.1.x86_64                        2/2 
  Running scriptlet: libreswan-4.12-2.el9_4.1.x86_64                        2/2 
  Verifying        : libreswan-4.12-2.el9_4.1.x86_64                        1/2 
  Verifying        : ldns-1.7.1-11.el9.x86_64                               2/2 
Installed products updated.

Installed:
  ldns-1.7.1-11.el9.x86_64            libreswan-4.12-2.el9_4.1.x86_64           

Complete!
OVAL test results details

package libreswan is installed  oval:ssg-test_package_libreswan_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type rpminfo_object
Name
libreswan
Verify Any Configured IPSec Tunnel Connectionsxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels medium

Verify Any Configured IPSec Tunnel Connections

Rule IDxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9
cobit5APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02
disaCCI-000336
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistAC-17(a), MA-4(6), CM-6(a), AC-4, SC-8
nist-csfDE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257950r925837_rule
Description
Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection.
Rationale
IP tunneling mechanisms can be used to bypass network filtering.
Warnings
warning  Automatic remediation of this control is not available due to the unique requirements of each system.
Evaluation messages
info 
No candidate or applicable check found.
Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra medium

Configure Accepting Router Advertisements on All IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui3.1.20
disaCCI-000366
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
cis3.3.9
stigrefSV-257971r925900_rule
Description
To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_ra = 0
Rationale
An illicit router advertisement message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_ra=0
true/etc/sysctl.confnet.ipv6.conf.all.accept_ra=0

net.ipv6.conf.all.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_ra=0
not evaluated/etc/sysctl.confnet.ipv6.conf.all.accept_ra=0

net.ipv6.conf.all.accept_ra static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv6.conf.all.accept_ra0
Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects medium

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui3.1.20
disaCCI-000366, CCI-001551
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv)
nist-csfPR.IP-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
anssiR13
cis3.3.2
stigrefSV-257972r925903_rule
Description
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_redirects = 0
Rationale
An illicit ICMP redirect message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_redirects=0
true/etc/sysctl.confnet.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_redirects=0
not evaluated/etc/sysctl.confnet.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv6.conf.all.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route medium

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9
cobit5APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui3.1.20
disaCCI-000366
isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfDE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR13
cis3.3.1
stigrefSV-257973r943003_rule
Description
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.confnet.ipv6.conf.all.accept_source_route=0
true/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.confnet.ipv6.conf.all.accept_source_route=0
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv6.conf.all.accept_source_route0
Disable Kernel Parameter for IPv6 Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding medium

Disable Kernel Parameter for IPv6 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06
disaCCI-000366
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv)
nist-csfDE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
cis3.2.1
stigrefSV-257974r943005_rule
Description
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.forwarding = 0
Rationale
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.confnet.ipv6.conf.all.forwarding=0
true/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.forwarding=0

net.ipv6.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.confnet.ipv6.conf.all.forwarding=0
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.forwarding=0

net.ipv6.conf.all.forwarding static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv6.conf.all.forwarding0
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra medium

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui3.1.20
disaCCI-000366
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
cis3.3.9
stigrefSV-257975r943007_rule
Description
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_ra = 0
Rationale
An illicit router advertisement message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_ra=0
true/etc/sysctl.confnet.ipv6.conf.default.accept_ra=0

net.ipv6.conf.default.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_ra=0
not evaluated/etc/sysctl.confnet.ipv6.conf.default.accept_ra=0

net.ipv6.conf.default.accept_ra static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv6.conf.default.accept_ra0
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects medium

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui3.1.20
disaCCI-000366, CCI-001551
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
anssiR13
cis3.3.2
stigrefSV-257976r943009_rule
Description
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0
Rationale
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1

net.ipv6.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1

net.ipv6.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv6.conf.default.accept_redirects1
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route medium

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9
cobit5APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui3.1.20
disaCCI-000366
isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv)
nist-csfDE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
pcidssReq-1.4.3
os-srgSRG-OS-000480-GPOS-00227
anssiR13
cis3.3.1
pcidss41.4.2
stigrefSV-257977r943011_rule
Description
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_source_route=0
true/etc/sysctl.confnet.ipv6.conf.default.accept_source_route=0

net.ipv6.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_source_route=0
not evaluated/etc/sysctl.confnet.ipv6.conf.default.accept_source_route=0

net.ipv6.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv6.conf.default.accept_source_route0
Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects medium

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cjis5.10.1.1
cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06
cui3.1.20
disaCCI-000366, CCI-001503, CCI-001551
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
nist-csfDE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.3.2
stigrefSV-257958r942985_rule
Description
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
OVAL test results details

net.ipv4.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.confnet.ipv4.conf.all.accept_redirects=0
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.confnet.ipv4.conf.all.accept_redirects=0
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.all.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route medium

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui3.1.20
disaCCI-000366
isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nistCM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a)
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.3.1
stigrefSV-257959r942987_rule
Description
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv4.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_source_route=0
true/etc/sysctl.confnet.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_source_route=0
not evaluated/etc/sysctl.confnet.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.all.accept_source_route0
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding medium

Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_forwarding:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6(b)
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257970r943001_rule
Description
To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.forwarding = 0
Rationale
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
Warnings
warning  There might be cases when certain applications can systematically override this option. One such case is Libvirt; a toolkit for managing of virtualization platforms. By default, Libvirt requires IP forwarding to be enabled to facilitate network communication between the virtualization host and guest machines. It enables IP forwarding after every reboot.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

net.ipv4.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_forwarding:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_forwarding:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_forwarding:obj:1

net.ipv4.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_forwarding:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_forwarding:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_forwarding:obj:1

net.ipv4.conf.all.forwarding static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_forwarding:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.all.forwarding set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.all.forwarding0
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknown

Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1
Time2024-08-21T12:34:44+00:00
Severityunknown
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06
cui3.1.20
disaCCI-000126
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2
nistCM-7(a), CM-7(b), SC-5(3)(a)
nist-csfDE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
cis3.3.4
stigrefSV-257960r925867_rule
Description
To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.log_martians = 1
Rationale
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
OVAL test results details

net.ipv4.conf.all.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.confnet.ipv4.conf.all.log_martians=1
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.log_martians=1

net.ipv4.conf.all.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.confnet.ipv4.conf.all.log_martians=1
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.log_martians=1

net.ipv4.conf.all.log_martians static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.all.log_martians1
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter medium

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
cobit5APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui3.1.20
disaCCI-000366, CCI-001551
isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
pcidssReq-1.4.3
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.3.7
pcidss41.4.3
stigrefSV-257962r942989_rule
Description
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.rp_filter = 1
Rationale
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
OVAL test results details

net.ipv4.conf.all.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.confnet.ipv4.conf.all.rp_filter=1
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.rp_filter=1

net.ipv4.conf.all.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.confnet.ipv4.conf.all.rp_filter=1
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.rp_filter=1

net.ipv4.conf.all.rp_filter static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1 or 2  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.all.rp_filter1
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects medium

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis5.10.1.1
cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui3.1.20
disaCCI-000366, CCI-001551
isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
pcidssReq-1.4.3
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.3.2
pcidss41.4.3
stigrefSV-257963r942991_rule
Description
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

net.ipv4.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1

net.ipv4.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1

net.ipv4.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.ipv4.conf.default.accept_redirects1
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route medium

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis5.10.1.1
cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui3.1.20
disaCCI-000366, CCI-001551
isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nistCM-7(a), CM-7(b), SC-5, SC-7(a)
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.3.1
stigrefSV-257964r942993_rule
Description
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
OVAL test results details

net.ipv4.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.accept_source_route=0
true/etc/sysctl.confnet.ipv4.conf.default.accept_source_route=0

net.ipv4.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.accept_source_route=0
not evaluated/etc/sysctl.confnet.ipv4.conf.default.accept_source_route=0

net.ipv4.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_pkg_correct:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/usr/lib/sysctl.d/50-default.confnet.ipv4.conf.default.accept_source_route = 0

kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.default.accept_source_route0
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians unknown

Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1
Time2024-08-21T12:34:44+00:00
Severityunknown
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06
cui3.1.20
disaCCI-000126
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2
nistCM-7(a), CM-7(b), SC-5(3)(a)
nist-csfDE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
cis3.3.4
stigrefSV-257961r925870_rule
Description
To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.log_martians = 1
Rationale
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
OVAL test results details

net.ipv4.conf.default.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.log_martians=1
true/etc/sysctl.confnet.ipv4.conf.default.log_martians=1

net.ipv4.conf.default.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.log_martians=1
not evaluated/etc/sysctl.confnet.ipv4.conf.default.log_martians=1

net.ipv4.conf.default.log_martians static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.default.log_martians1
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter medium

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
cobit5APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui3.1.20
disaCCI-000366
isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.3.7
stigrefSV-257965r925882_rule
Description
To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.rp_filter = 1
Rationale
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
OVAL test results details

net.ipv4.conf.default.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.confnet.ipv4.conf.default.rp_filter=1
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.rp_filter=1

net.ipv4.conf.default.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.confnet.ipv4.conf.default.rp_filter=1
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.rp_filter=1

net.ipv4.conf.default.rp_filter static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_pkg_correct:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
true/usr/lib/sysctl.d/50-redhat.confnet.ipv4.conf.default.rp_filter = 1
false/usr/lib/sysctl.d/50-default.confnet.ipv4.conf.default.rp_filter = 2

kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.default.rp_filter1
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts medium

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis5.10.1.1
cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui3.1.20
disaCCI-000366
isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nistCM-7(a), CM-7(b), SC-5
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
pcidssReq-1.4.3
os-srgSRG-OS-000480-GPOS-00227
cis3.3.5
pcidss41.4.2
stigrefSV-257966r942995_rule
Description
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
OVAL test results details

net.ipv4.icmp_echo_ignore_broadcasts static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts=1
true/etc/sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_echo_ignore_broadcasts static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts=1
not evaluated/etc/sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.icmp_echo_ignore_broadcasts1
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknown

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1
Time2024-08-21T12:34:44+00:00
Severityunknown
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06
cui3.1.20
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2
nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nistCM-7(a), CM-7(b), SC-5
nist-csfDE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3
pcidssReq-1.4.3
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.3.6
pcidss41.4.2
stigrefSV-257967r925888_rule
Description
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Rationale
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
OVAL test results details

net.ipv4.icmp_ignore_bogus_error_responses static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv4.icmp_ignore_bogus_error_responses=1
true/etc/sysctl.confnet.ipv4.icmp_ignore_bogus_error_responses=1

net.ipv4.icmp_ignore_bogus_error_responses static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.icmp_ignore_bogus_error_responses=1
not evaluated/etc/sysctl.confnet.ipv4.icmp_ignore_bogus_error_responses=1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.icmp_ignore_bogus_error_responses1
Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies medium

Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
cjis5.10.1.1
cobit5APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
cui3.1.20
disaCCI-000366, CCI-001095
isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a)
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
pcidssReq-1.4.1
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071
anssiR12
cis3.3.8
pcidss41.4.3
stigrefSV-257957r942983_rule
Description
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.tcp_syncookies = 1
Rationale
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
OVAL test results details

net.ipv4.tcp_syncookies static configuration  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.confnet.ipv4.tcp_syncookies=1
true/etc/sysctl.d/99-sysctl.confnet.ipv4.tcp_syncookies=1

net.ipv4.tcp_syncookies static configuration  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.confnet.ipv4.tcp_syncookies=1
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.tcp_syncookies=1

net.ipv4.tcp_syncookies static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.tcp_syncookies1
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects medium

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis5.10.1.1
cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui3.1.20
disaCCI-000366
isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nistCM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a)
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.2.2
pcidss41.4.5
stigrefSV-257968r942997_rule
Description
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
OVAL test results details

net.ipv4.conf.all.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.confnet.ipv4.conf.all.send_redirects=0
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.send_redirects=0

net.ipv4.conf.all.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.confnet.ipv4.conf.all.send_redirects=0
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.send_redirects=0

net.ipv4.conf.all.send_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.all.send_redirects0
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects medium

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1
Time2024-08-21T12:34:45+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
cjis5.10.1.1
cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
cui3.1.20
disaCCI-000366
isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
nistCM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a)
nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR12
cis3.2.2
pcidss41.4.5
stigrefSV-257969r942999_rule
Description
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
OVAL test results details

net.ipv4.conf.default.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.send_redirects=0
true/etc/sysctl.confnet.ipv4.conf.default.send_redirects=0

net.ipv4.conf.default.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user_missing:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.send_redirects=0
not evaluated/etc/sysctl.confnet.ipv4.conf.default.send_redirects=0

net.ipv4.conf.default.send_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truenet.ipv4.conf.default.send_redirects0
Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled medium

Disable ATM Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_atm_disabled:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
disaCCI-000381, CCI-000366
nistAC-18
osppFMT_SMF_EXT.1
os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
stigrefSV-257804r925399_rule
Description
The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:
install atm /bin/true
Rationale
Disabling ATM protects the system against exploitation of any flaws in its implementation.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /etc/modprobe.d/atm.conf: No such file or directory
OVAL test results details

kernel module atm blacklisted  oval:ssg-test_kernmod_atm_blacklisted:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_blacklisted:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^blacklist\s+atm$1

kernel module atm disabled  oval:ssg-test_kernmod_atm_disabled:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^\s*install\s+atm\s+(/bin/false|/bin/true)$1
Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled medium

Disable CAN Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_can_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_can_disabled:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
disaCCI-000381, CCI-000366
nistAC-18
osppFMT_SMF_EXT.1
os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
stigrefSV-257805r925402_rule
Description
The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:
install can /bin/true
Rationale
Disabling CAN protects the system against exploitation of any flaws in its implementation.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /etc/modprobe.d/can.conf: No such file or directory
OVAL test results details

kernel module can blacklisted  oval:ssg-test_kernmod_can_blacklisted:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_blacklisted:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^blacklist\s+can$1

kernel module can disabled  oval:ssg-test_kernmod_can_disabled:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^\s*install\s+can\s+(/bin/false|/bin/true)$1
Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled low

Disable IEEE 1394 (FireWire) Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_firewire-core_disabled:def:1
Time2024-08-21T12:38:57+00:00
Severitylow
References:
disaCCI-000381
nistAC-18
osppFMT_SMF_EXT.1
os-srgSRG-OS-000095-GPOS-00049
stigrefSV-257806r942955_rule
Description
The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:
install firewire-core /bin/true
Rationale
Disabling FireWire protects the system against exploitation of any flaws in its implementation.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /etc/modprobe.d/firewire-core.conf: No such file or directory
OVAL test results details

kernel module firewire-core blacklisted  oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_blacklisted:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^blacklist\s+firewire-core$1

kernel module firewire-core disabled  oval:ssg-test_kernmod_firewire-core_disabled:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$1
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled medium

Disable SCTP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_sctp_disabled:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc11, 14, 3, 9
cjis5.10.1
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui3.4.6
disaCCI-000381, CCI-000366
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1, PR.PT-3
pcidssReq-1.4.2
os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
pcidss41.4.2
stigrefSV-257807r952166_rule
Description
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/true
Rationale
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /etc/modprobe.d/sctp.conf: No such file or directory
OVAL test results details

kernel module sctp blacklisted  oval:ssg-test_kernmod_sctp_blacklisted:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_blacklisted:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^blacklist\s+sctp$1

kernel module sctp disabled  oval:ssg-test_kernmod_sctp_disabled:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^\s*install\s+sctp\s+(/bin/false|/bin/true)$1
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled low

Disable TIPC Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_tipc_disabled:def:1
Time2024-08-21T12:34:45+00:00
Severitylow
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
disaCCI-000381
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1, PR.PT-3
osppFMT_SMF_EXT.1
os-srgSRG-OS-000095-GPOS-00049
cis3.1.3
stigrefSV-257808r925411_rule
Description
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:
install tipc /bin/true
Rationale
Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Warnings
warning  This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as a node in High Performance Computing cluster, it is expected that the tipc kernel module will be loaded.
OVAL test results details

kernel module tipc blacklisted  oval:ssg-test_kernmod_tipc_blacklisted:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/modprobe.d/CIS.confblacklist tipc

kernel module tipc disabled  oval:ssg-test_kernmod_tipc_disabled:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/modprobe.d/CIS.confinstall tipc /bin/false
Disable Bluetooth Kernel Modulexccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled medium

Disable Bluetooth Kernel Module

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_bluetooth_disabled:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc11, 12, 14, 15, 3, 8, 9
cjis5.13.1.3
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
cui3.1.16
disaCCI-000085, CCI-001443, CCI-001444, CCI-001551, CCI-002418
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7
nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
stigrefSV-258039r926104_rule
Description
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:
install bluetooth /bin/true
Rationale
If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /etc/modprobe.d/bluetooth.conf: No such file or directory
OVAL test results details

kernel module bluetooth blacklisted  oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_blacklisted:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^blacklist\s+bluetooth$1

kernel module bluetooth disabled  oval:ssg-test_kernmod_bluetooth_disabled:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$1
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces medium

Deactivate Wireless Network Interfaces

Rule IDxccdf_org.ssgproject.content_rule_wireless_disable_interfaces
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:34:45+00:00
Severitymedium
References:
cis-csc11, 12, 14, 15, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
cui3.1.16
disaCCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
ism1315, 1319
iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7
nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
pcidssReq-1.3.3
os-srgSRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481
cis3.1.2
pcidss41.3.3
stigrefSV-258040r926107_rule
Description
Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio all off
Rationale
The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.
NetworkManager DNS Mode Must Be Must Configuredxccdf_org.ssgproject.content_rule_networkmanager_dns_mode medium

NetworkManager DNS Mode Must Be Must Configured

Rule IDxccdf_org.ssgproject.content_rule_networkmanager_dns_mode
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-networkmanager_dns_mode:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6(b)
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257949r925834_rule
Description
The DNS processing mode in NetworkManager describes how DNS is processed on the system. Depending the mode some changes the system's DNS may not be respected.
Rationale
To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

tests the value of dns setting in the /etc/NetworkManager/NetworkManager.conf file  oval:ssg-test_networkmanager_dns_mode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_networkmanager_dns_mode:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/NetworkManager/NetworkManager.conf^\s*\[main\].*(?:\n\s*[^[\s].*)*\ndns=([^#]*).*$1

The configuration file /etc/NetworkManager/NetworkManager.conf exists for networkmanager_dns_mode  oval:ssg-test_networkmanager_dns_mode_config_file_exists:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
not evaluated/etc/NetworkManager/NetworkManager.confregular002263rw-r--r-- 
Configure Multiple DNS Servers in /etc/resolv.confxccdf_org.ssgproject.content_rule_network_configure_name_resolution medium

Configure Multiple DNS Servers in /etc/resolv.conf

Rule IDxccdf_org.ssgproject.content_rule_network_configure_name_resolution
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-network_configure_name_resolution:def:1
Time2024-08-21T12:38:46+00:00
Severitymedium
References:
cis-csc12, 15, 8
cobit5APO13.01, DSS05.02
disaCCI-000366
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.13.1.1, A.13.2.1, A.14.1.3
nistSC-20(a), CM-6(a)
nist-csfPR.PT-4
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257948r925831_rule
Description
Determine whether the system is using local or DNS name resolution with the following command:
$ sudo grep hosts /etc/nsswitch.conf
hosts: files dns
If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command:
$ sudo ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, then verify the following:
Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example:
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2
Rationale
To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
Warnings
warning  This rule doesn't come with a remediation, the IP addresses of local authoritative name servers need to be added by the administrator.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

check if dns is set in host line in /etc/nsswitch.conf  oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/nsswitch.confhosts: files dns myhostname

check if more than one nameserver in /etc/resolv.conf  oval:ssg-test_network_configure_name_resolution:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/resolv.conf^[\s]*nameserver[\s]+([0-9\.]+)$1

check if dns is set in host line in /etc/nsswitch.conf  oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/nsswitch.confhosts: files dns myhostname

check if /etc/resolv.conf is empty  oval:ssg-test_file_empty_resolv:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
false/etc/resolv.confregular0082rw-r--r-- 
Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled medium

Ensure System is Not Acting as a Network Sniffer

Rule IDxccdf_org.ssgproject.content_rule_network_sniffer_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-network_sniffer_disabled:def:1
Time2024-08-21T12:34:44+00:00
Severitymedium
References:
cis-csc1, 11, 14, 3, 9
cobit5APO11.06, APO12.06, BAI03.10, BAI09.01, BAI09.02, BAI09.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS04.05, DSS05.02, DSS05.05, DSS06.06
disaCCI-000366
isa-62443-20094.2.3.4, 4.3.3.3.7, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, SR 7.8
iso27001-2013A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.16.1.6, A.8.1.1, A.8.1.2, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a), CM-7(2), MA-3
nist-csfDE.DP-5, ID.AM-1, PR.IP-1, PR.MA-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
pcidss41.4.5
stigrefSV-257941r925810_rule
Description
The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
Rationale
Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.
OVAL test results details

check all network interfaces for PROMISC flag  oval:ssg-test_promisc_interfaces:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_promisc_interfaces:obj:1 of type interface_object
NameFilter
^.*$oval:ssg-state_promisc:ste:1
Verify Group Who Owns Backup group Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group medium

Verify Group Who Owns Backup group File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_backup_etc_group:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7
os-srgSRG-OS-000480-GPOS-00227
cis6.1.4
pcidss42.2.6
stigrefSV-257901r925690_rule
Description
To properly set the group owner of /etc/group-, run the command:
$ sudo chgrp root /etc/group-
Rationale
The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing group ownership of /etc/group-  oval:ssg-test_file_groupowner_backup_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/group-oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1
Verify Group Who Owns Backup gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow medium

Verify Group Who Owns Backup gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_backup_etc_gshadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7
os-srgSRG-OS-000480-GPOS-00227
cis6.1.8
stigrefSV-257905r925702_rule
Description
To properly set the group owner of /etc/gshadow-, run the command:
$ sudo chgrp root /etc/gshadow-
Rationale
The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/gshadow-  oval:ssg-test_file_groupowner_backup_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadow-oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1
Verify Group Who Owns Backup passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd medium

Verify Group Who Owns Backup passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_backup_etc_passwd:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7
os-srgSRG-OS-000480-GPOS-00227
cis6.1.2
pcidss42.2.6
stigrefSV-257909r925714_rule
Description
To properly set the group owner of /etc/passwd-, run the command:
$ sudo chgrp root /etc/passwd-
Rationale
The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/passwd-  oval:ssg-test_file_groupowner_backup_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwd-oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1
Verify User Who Owns Backup shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow medium

Verify User Who Owns Backup shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_backup_etc_shadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
pcidssReq-8.7
os-srgSRG-OS-000480-GPOS-00227
cis6.1.6
pcidss42.2.6
stigrefSV-257913r925726_rule
Description
To properly set the group owner of /etc/shadow-, run the command:
$ sudo chgrp root /etc/shadow-
Rationale
The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/shadow-  oval:ssg-test_file_groupowner_backup_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadow-oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1
Verify Group Who Owns group Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_group medium

Verify Group Who Owns group File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_group:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.3
pcidss42.2.6
stigrefSV-257899r925684_rule
Description
To properly set the group owner of /etc/group, run the command:
$ sudo chgrp root /etc/group
Rationale
The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing group ownership of /etc/group  oval:ssg-test_file_groupowner_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/groupoval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1
Verify Group Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow medium

Verify Group Who Owns gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_gshadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.7
stigrefSV-257903r925696_rule
Description
To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow
Rationale
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/gshadow  oval:ssg-test_file_groupowner_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadowoval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1
Verify Group Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd medium

Verify Group Who Owns passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_passwd:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.1
pcidss42.2.6
stigrefSV-257907r925708_rule
Description
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
Rationale
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/passwd  oval:ssg-test_file_groupowner_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwdoval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1
Verify Group Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow medium

Verify Group Who Owns shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_shadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.5
pcidss42.2.6
stigrefSV-257911r925720_rule
Description
To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp root /etc/shadow
Rationale
The /etc/shadow file stores password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/shadow  oval:ssg-test_file_groupowner_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadowoval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1
Verify User Who Owns Backup group Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_group medium

Verify User Who Owns Backup group File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_backup_etc_group:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
cis6.1.4
pcidss42.2.6
stigrefSV-257900r925687_rule
Description
To properly set the owner of /etc/group-, run the command:
$ sudo chown root /etc/group- 
Rationale
The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing user ownership of /etc/group-  oval:ssg-test_file_owner_backup_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/group-oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1
Verify User Who Owns Backup gshadow Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow medium

Verify User Who Owns Backup gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_backup_etc_gshadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7
os-srgSRG-OS-000480-GPOS-00227
cis6.1.8
stigrefSV-257904r925699_rule
Description
To properly set the owner of /etc/gshadow-, run the command:
$ sudo chown root /etc/gshadow- 
Rationale
The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/gshadow-  oval:ssg-test_file_owner_backup_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadow-oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1
Verify User Who Owns Backup passwd Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd medium

Verify User Who Owns Backup passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_backup_etc_passwd:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
cis6.1.2
pcidss42.2.6
stigrefSV-257908r925711_rule
Description
To properly set the owner of /etc/passwd-, run the command:
$ sudo chown root /etc/passwd- 
Rationale
The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/passwd-  oval:ssg-test_file_owner_backup_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwd-oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1
Verify Group Who Owns Backup shadow Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow medium

Verify Group Who Owns Backup shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_backup_etc_shadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
cis6.1.6
pcidss42.2.6
stigrefSV-257912r925723_rule
Description
To properly set the owner of /etc/shadow-, run the command:
$ sudo chown root /etc/shadow- 
Rationale
The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/shadow-  oval:ssg-test_file_owner_backup_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadow-oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1
Verify User Who Owns group Filexccdf_org.ssgproject.content_rule_file_owner_etc_group medium

Verify User Who Owns group File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_group:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-002223
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.3
pcidss42.2.6
stigrefSV-257898r925681_rule
Description
To properly set the owner of /etc/group, run the command:
$ sudo chown root /etc/group 
Rationale
The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing user ownership of /etc/group  oval:ssg-test_file_owner_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/groupoval:ssg-symlink_file_owner_etc_group_uid_0:ste:1oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1
Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow medium

Verify User Who Owns gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_gshadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-002223
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.7
stigrefSV-257902r925693_rule
Description
To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow 
Rationale
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/gshadow  oval:ssg-test_file_owner_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadowoval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1
Verify User Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_owner_etc_passwd medium

Verify User Who Owns passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_passwd:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-002223
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.1
pcidss42.2.6
stigrefSV-257906r925705_rule
Description
To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
Rationale
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/passwd  oval:ssg-test_file_owner_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwdoval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1
Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_shadow medium

Verify User Who Owns shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_shadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-002223
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.5
pcidss42.2.6
stigrefSV-257910r925717_rule
Description
To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow 
Rationale
The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
OVAL test results details

Testing user ownership of /etc/shadow  oval:ssg-test_file_owner_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadowoval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1
Verify Permissions on Backup group Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group medium

Verify Permissions on Backup group File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_backup_etc_group:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
cis6.1.4
pcidss42.2.6
stigrefSV-257892r925663_rule
Description
To properly set the permissions of /etc/group-, run the command:
$ sudo chmod 0644 /etc/group-
Rationale
The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing mode of /etc/group-  oval:ssg-test_file_permissions_backup_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/group-oval:ssg-exclude_symlinks__backup_etc_group:ste:1oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1
Verify Permissions on Backup gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow medium

Verify Permissions on Backup gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_backup_etc_gshadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
os-srgSRG-OS-000480-GPOS-00227
cis6.1.8
stigrefSV-257894r925669_rule
Description
To properly set the permissions of /etc/gshadow-, run the command:
$ sudo chmod 0000 /etc/gshadow-
Rationale
The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/gshadow-  oval:ssg-test_file_permissions_backup_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadow-oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1
Verify Permissions on Backup passwd Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd medium

Verify Permissions on Backup passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_backup_etc_passwd:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
cis6.1.2
pcidss42.2.6
stigrefSV-257896r925675_rule
Description
To properly set the permissions of /etc/passwd-, run the command:
$ sudo chmod 0644 /etc/passwd-
Rationale
The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/passwd-  oval:ssg-test_file_permissions_backup_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwd-oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1
Verify Permissions on Backup shadow Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow medium

Verify Permissions on Backup shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_backup_etc_shadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-002223
nistAC-6 (1)
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
cis6.1.6
pcidss42.2.6
stigrefSV-257897r925678_rule
Description
To properly set the permissions of /etc/shadow-, run the command:
$ sudo chmod 0000 /etc/shadow-
Rationale
The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/shadow-  oval:ssg-test_file_permissions_backup_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadow-oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1
Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group medium

Verify Permissions on group File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_group:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-002223
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.3
pcidss42.2.6
stigrefSV-257891r925660_rule
Description
To properly set the permissions of /etc/group, run the command:
$ sudo chmod 0644 /etc/group
Rationale
The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing mode of /etc/group  oval:ssg-test_file_permissions_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/groupoval:ssg-exclude_symlinks__etc_group:ste:1oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1
Verify Permissions on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow medium

Verify Permissions on gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_gshadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-002223
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.7
stigrefSV-257893r925666_rule
Description
To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
Rationale
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/gshadow  oval:ssg-test_file_permissions_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadowoval:ssg-exclude_symlinks__etc_gshadow:ste:1oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1
Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd medium

Verify Permissions on passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_passwd:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-002223
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.1
pcidss42.2.6
stigrefSV-257895r925672_rule
Description
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
Rationale
If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/passwd  oval:ssg-test_file_permissions_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwdoval:ssg-exclude_symlinks__etc_passwd:ste:1oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1
Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow medium

Verify Permissions on shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_shadow:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cjis5.5.2.2
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-002223
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-8.7.c
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis6.1.5
pcidss42.2.6
stigrefSV-257934r925789_rule
Description
To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadow
Rationale
The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
OVAL test results details

Testing mode of /etc/shadow  oval:ssg-test_file_permissions_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadowoval:ssg-exclude_symlinks__etc_shadow:ste:1oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1
Verify Group Who Owns /var/log Directoryxccdf_org.ssgproject.content_rule_file_groupowner_var_log medium

Verify Group Who Owns /var/log Directory

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_var_log
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_var_log:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-001314
os-srgSRG-OS-000206-GPOS-00084
app-srg-ctrSRG-APP-000118-CTR-000240
stigrefSV-257915r925732_rule
Description
To properly set the group owner of /var/log, run the command:
$ sudo chgrp root /var/log
Rationale
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing group ownership of /var/log/  oval:ssg-test_file_groupowner_var_log_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_var_log_0:obj:1 of type file_object
PathFilenameFilterFilter
/var/logno valueoval:ssg-symlink_file_groupowner_var_log_uid_0:ste:1oval:ssg-state_file_groupowner_var_log_gid_0_0:ste:1
Verify Group Who Owns /var/log/messages Filexccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages medium

Verify Group Who Owns /var/log/messages File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_var_log_messages:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-001314
os-srgSRG-OS-000206-GPOS-00084
stigrefSV-257917r925738_rule
Description
To properly set the group owner of /var/log/messages, run the command:
$ sudo chgrp root /var/log/messages
Rationale
The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing group ownership of /var/log/messages  oval:ssg-test_file_groupowner_var_log_messages_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_var_log_messages_0:obj:1 of type file_object
FilepathFilterFilter
/var/log/messagesoval:ssg-symlink_file_groupowner_var_log_messages_uid_0:ste:1oval:ssg-state_file_groupowner_var_log_messages_gid_0_0:ste:1
Verify User Who Owns /var/log Directoryxccdf_org.ssgproject.content_rule_file_owner_var_log medium

Verify User Who Owns /var/log Directory

Rule IDxccdf_org.ssgproject.content_rule_file_owner_var_log
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_var_log:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-001314
os-srgSRG-OS-000206-GPOS-00084
app-srg-ctrSRG-APP-000118-CTR-000240
stigrefSV-257914r925729_rule
Description
To properly set the owner of /var/log, run the command:
$ sudo chown root /var/log 
Rationale
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing user ownership of /var/log/  oval:ssg-test_file_owner_var_log_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_var_log_0:obj:1 of type file_object
PathFilenameFilterFilter
/var/logno valueoval:ssg-symlink_file_owner_var_log_uid_0:ste:1oval:ssg-state_file_owner_var_log_uid_0_0:ste:1
Verify User Who Owns /var/log/messages Filexccdf_org.ssgproject.content_rule_file_owner_var_log_messages medium

Verify User Who Owns /var/log/messages File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_var_log_messages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_var_log_messages:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-001314
os-srgSRG-OS-000206-GPOS-00084
stigrefSV-257916r925735_rule
Description
To properly set the owner of /var/log/messages, run the command:
$ sudo chown root /var/log/messages 
Rationale
The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing user ownership of /var/log/messages  oval:ssg-test_file_owner_var_log_messages_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_var_log_messages_0:obj:1 of type file_object
FilepathFilterFilter
/var/log/messagesoval:ssg-symlink_file_owner_var_log_messages_uid_0:ste:1oval:ssg-state_file_owner_var_log_messages_uid_0_0:ste:1
Verify Permissions on /var/log Directoryxccdf_org.ssgproject.content_rule_file_permissions_var_log medium

Verify Permissions on /var/log Directory

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_var_log:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-001314
os-srgSRG-OS-000206-GPOS-00084
app-srg-ctrSRG-APP-000118-CTR-000240
stigrefSV-257885r925642_rule
Description
To properly set the permissions of /var/log, run the command:
$ sudo chmod 0755 /var/log
Rationale
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing mode of /var/log/  oval:ssg-test_file_permissions_var_log_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_var_log_0:obj:1 of type file_object
PathFilenameFilterFilter
/var/logno valueoval:ssg-exclude_symlinks__var_log:ste:1oval:ssg-state_file_permissions_var_log_0_mode_0755or_stricter_:ste:1
Verify Permissions on /var/log/messages Filexccdf_org.ssgproject.content_rule_file_permissions_var_log_messages medium

Verify Permissions on /var/log/messages File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_var_log_messages:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
disaCCI-001314
os-srgSRG-OS-000206-GPOS-00084
stigrefSV-257886r925645_rule
Description
To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messages
Rationale
The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing mode of /var/log/messages  oval:ssg-test_file_permissions_var_log_messages_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_var_log_messages_0:obj:1 of type file_object
FilepathFilterFilter
/var/log/messagesoval:ssg-exclude_symlinks__var_log_messages:ste:1oval:ssg-state_file_permissions_var_log_messages_0_mode_0640or_stricter_:ste:1
Verify that Shared Library Directories Have Root Group Ownershipxccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs medium

Verify that Shared Library Directories Have Root Group Ownership

Rule IDxccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_group_ownership_library_dirs:def:1
Time2024-08-21T12:35:21+00:00
Severitymedium
References:
disaCCI-001499
nistCM-5(6), CM-5(6).1
os-srgSRG-OS-000259-GPOS-00100
stigrefSV-257923r925756_rule
Description
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chgrp root DIR
                  
Rationale
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.
OVAL test results details

Testing group ownership of /lib/  oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/libno valueoval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_0:ste:1

Testing group ownership of /lib64/  oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64no valueoval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_1:ste:1

Testing group ownership of /usr/lib/  oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/libno valueoval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_2:ste:1

Testing group ownership of /usr/lib64/  oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64no valueoval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_3:ste:1
Verify that Shared Library Directories Have Root Ownershipxccdf_org.ssgproject.content_rule_dir_ownership_library_dirs medium

Verify that Shared Library Directories Have Root Ownership

Rule IDxccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_ownership_library_dirs:def:1
Time2024-08-21T12:35:22+00:00
Severitymedium
References:
disaCCI-001499
nistCM-5(6), CM-5(6).1
os-srgSRG-OS-000259-GPOS-00100
stigrefSV-257922r925753_rule
Description
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root DIR
                  
Rationale
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.
OVAL test results details

Testing user ownership of /lib/  oval:ssg-test_file_ownerdir_ownership_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/libno valueoval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_0:ste:1

Testing user ownership of /lib64/  oval:ssg-test_file_ownerdir_ownership_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64no valueoval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_1:ste:1

Testing user ownership of /usr/lib/  oval:ssg-test_file_ownerdir_ownership_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/libno valueoval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_2:ste:1

Testing user ownership of /usr/lib64/  oval:ssg-test_file_ownerdir_ownership_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64no valueoval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_3:ste:1
Verify that Shared Library Directories Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_dir_permissions_library_dirs medium

Verify that Shared Library Directories Have Restrictive Permissions

Rule IDxccdf_org.ssgproject.content_rule_dir_permissions_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_permissions_library_dirs:def:1
Time2024-08-21T12:35:24+00:00
Severitymedium
References:
disaCCI-001499
nerc-cipCIP-003-8 R6
nistCM-5, CM-5(6), CM-5(6).1
os-srgSRG-OS-000259-GPOS-00100
stigrefSV-257883r925636_rule
Description
System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w DIR
                  
Rationale
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
OVAL test results details

Testing mode of /lib/  oval:ssg-test_file_permissionsdir_permissions_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/libno valueoval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1oval:ssg-state_file_permissionsdir_permissions_library_dirs_0_mode_7755or_stricter_:ste:1

Testing mode of /lib64/  oval:ssg-test_file_permissionsdir_permissions_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64no valueoval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1oval:ssg-state_file_permissionsdir_permissions_library_dirs_1_mode_7755or_stricter_:ste:1

Testing mode of /usr/lib/  oval:ssg-test_file_permissionsdir_permissions_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/libno valueoval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1oval:ssg-state_file_permissionsdir_permissions_library_dirs_2_mode_7755or_stricter_:ste:1

Testing mode of /usr/lib64/  oval:ssg-test_file_permissionsdir_permissions_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64no valueoval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1oval:ssg-state_file_permissionsdir_permissions_library_dirs_3_mode_7755or_stricter_:ste:1
Verify that system commands files are group owned by root or a system accountxccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs medium

Verify that system commands files are group owned by root or a system account

Rule IDxccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupownership_system_commands_dirs:def:1
Time2024-08-21T12:35:24+00:00
Severitymedium
References:
disaCCI-001499
nistCM-5(6), CM-5(6).1
os-srgSRG-OS-000259-GPOS-00100
anssiR50
stigrefSV-257919r925744_rule
Description
System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command:
$ sudo chgrp root FILE
                  
Rationale
If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
OVAL test results details

system commands are owned by root or a system account  oval:ssg-test_groupownership_system_commands_dirs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_groupownership_system_commands_dirs:obj:1 of type file_object
PathFilenameFilter
^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin^.*$oval:ssg-state_groupowner_system_commands_dirs_not_root_or_system_account:ste:1
Verify that System Executables Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs medium

Verify that System Executables Have Root Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_ownership_binary_dirs:def:1
Time2024-08-21T12:35:24+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-001499
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-5(6), CM-5(6).1, CM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000259-GPOS-00100
anssiR50
stigrefSV-257918r925741_rule
Description
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command:
$ sudo chown root FILE
                  
Rationale
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
OVAL test results details

binary directories uid root  oval:ssg-test_ownership_binary_directories:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_directories:obj:1 of type file_object
PathFilenameFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexecno valueoval:ssg-state_owner_binaries_not_root:ste:1

binary files uid root  oval:ssg-test_ownership_binary_files:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_files:obj:1 of type file_object
PathFilenameFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec^.*$oval:ssg-state_owner_binaries_not_root:ste:1
Verify that Shared Library Files Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_library_dirs medium

Verify that Shared Library Files Have Root Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_ownership_library_dirs:def:1
Time2024-08-21T12:35:34+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-001499
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-5(6), CM-5(6).1, CM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000259-GPOS-00100
stigrefSV-257920r925747_rule
Description
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root FILE
                  
Rationale
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
OVAL test results details

Testing user ownership of /lib/  oval:ssg-test_file_ownership_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib^.*$oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1

Testing user ownership of /lib64/  oval:ssg-test_file_ownership_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64^.*$oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1

Testing user ownership of /usr/lib/  oval:ssg-test_file_ownership_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib^.*$oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1

Testing user ownership of /usr/lib64/  oval:ssg-test_file_ownership_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64^.*$oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1
Verify that System Executables Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs medium

Verify that System Executables Have Restrictive Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_binary_dirs:def:1
Time2024-08-21T12:35:34+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-001499
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-5(6), CM-5(6).1, CM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000259-GPOS-00100
anssiR50
stigrefSV-257882r925633_rule
Description
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
                  
Rationale
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
OVAL test results details

binary files go-w  oval:ssg-test_perms_binary_files:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_binary_files:obj:1 of type file_object
PathFilenameFilterFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec^.*$oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1oval:ssg-state_perms_binary_files_symlink:ste:1
Verify that Shared Library Files Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_library_dirs medium

Verify that Shared Library Files Have Restrictive Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_library_dirs:def:1
Time2024-08-21T12:35:44+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-001499
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), CM-5(6), CM-5(6).1, AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000259-GPOS-00100
stigrefSV-257884r925639_rule
Description
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
                  
Rationale
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
OVAL test results details

Testing mode of /lib/  oval:ssg-test_file_permissions_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib^.*$oval:ssg-exclude_symlinks__library_dirs:ste:1oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1

Testing mode of /lib64/  oval:ssg-test_file_permissions_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64^.*$oval:ssg-exclude_symlinks__library_dirs:ste:1oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1

Testing mode of /usr/lib/  oval:ssg-test_file_permissions_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib^.*$oval:ssg-exclude_symlinks__library_dirs:ste:1oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1

Testing mode of /usr/lib64/  oval:ssg-test_file_permissions_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64^.*$oval:ssg-exclude_symlinks__library_dirs:ste:1oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files medium

Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

Rule IDxccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-root_permissions_syslibrary_files:def:1
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001499
nistCM-5(6), CM-5(6).1
os-srgSRG-OS-000259-GPOS-00100
stigrefSV-257921r925750_rule
Description
System-wide library files are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised access. If any of these files is not group-owned by root, correct its group-owner with the following command:
$ sudo chgrp root FILE
                  
Rationale
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
OVAL test results details

Testing group ownership of /lib/  oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib^.*$oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_0:ste:1

Testing group ownership of /lib64/  oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64^.*$oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_1:ste:1

Testing group ownership of /usr/lib/  oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib^.*$oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_2:ste:1

Testing group ownership of /usr/lib64/  oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64^.*$oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_3:ste:1
Ensure All World-Writable Directories Are Owned by root Userxccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned medium

Ensure All World-Writable Directories Are Owned by root User

Rule IDxccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_perms_world_writable_root_owned:def:1
Time2024-08-21T12:34:48+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000138-GPOS-00069
anssiR54
stigrefSV-257928r925771_rule
Description
All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user.
Rationale
Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
OVAL test results details

check for local directories that are world writable and have uid greater than 0  oval:ssg-test_dir_world_writable_uid_gt_zero:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_uid_zero:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/no valueoval:ssg-state_uid_is_not_root_and_world_writable:ste:1
Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits medium

Verify that All World-Writable Directories Have Sticky Bits Set

Rule IDxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_perms_world_writable_sticky_bits:def:1
Time2024-08-21T12:34:51+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-001090
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000138-GPOS-00069
anssiR54
cis6.1.12
pcidss42.2.6
stigrefSV-257929r925774_rule
Description
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
                
Rationale
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.
Warnings
warning  This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of directories present on the system. It is not a problem in most cases, but especially systems with a large number of directories can be affected. See https://access.redhat.com/articles/6999111.
OVAL test results details

Check the existence of world-writable directories without sticky bits  oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_dir_perms_world_writable_sticky_bits:obj:1 of type file_object
BehaviorsPathFilenameFilter
/boot/efi
/boot
/mnt
/
no valueno valueoval:ssg-state_dir_perms_world_writable_sticky_bits:ste:1
Verify Permissions on /etc/audit/auditd.confxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd medium

Verify Permissions on /etc/audit/auditd.conf

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_audit_auditd:def:1
Time2024-08-21T12:34:51+00:00
Severitymedium
References:
disaCCI-000171
nistAU-12(b)
os-srgSRG-OS-000063-GPOS-00032
stigrefSV-258172r926503_rule
Description
To properly set the permissions of /etc/audit/auditd.conf, run the command:
$ sudo chmod 0640 /etc/audit/auditd.conf
Rationale
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
OVAL test results details

Testing mode of /etc/audit/auditd.conf  oval:ssg-test_file_permissions_etc_audit_auditd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_audit_auditd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/audit/auditd.confoval:ssg-exclude_symlinks__etc_audit_auditd:ste:1oval:ssg-state_file_permissions_etc_audit_auditd_0_mode_0640or_stricter_:ste:1
Verify Permissions on /etc/audit/rules.d/*.rulesxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd medium

Verify Permissions on /etc/audit/rules.d/*.rules

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_audit_rulesd:def:1
Time2024-08-21T12:34:51+00:00
Severitymedium
References:
disaCCI-000171
nistAU-12(b)
os-srgSRG-OS-000063-GPOS-00032
stigrefSV-258171r943057_rule
Description
To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:
$ sudo chmod 0640 /etc/audit/rules.d/*.rules
Rationale
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
OVAL test results details

Testing mode of /etc/audit/rules.d/  oval:ssg-test_file_permissions_etc_audit_rulesd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_audit_rulesd_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/audit/rules.d^.*rules$oval:ssg-exclude_symlinks__etc_audit_rulesd:ste:1oval:ssg-state_file_permissions_etc_audit_rulesd_0_mode_0640or_stricter_:ste:1
Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned medium

Ensure All Files Are Owned by a Group

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_ungroupowned:def:1
Time2024-08-21T12:35:07+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10
disaCCI-000366, CCI-002165
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
anssiR53
cis6.1.11
pcidss42.2.6
stigrefSV-257930r925777_rule
Description
If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appropriate group. Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid group using the following command:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
Rationale
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings
warning  This rule only considers local groups as valid groups. If you have your groups defined outside /etc/group, the rule won't consider those.
warning  This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of files present on the system. It is not a problem in most cases, but especially systems with a large number of files can be affected. See https://access.redhat.com/articles/6999111.
OVAL test results details

there are no files with group owner different than local groups  oval:ssg-test_file_permissions_ungroupowned:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type file_object
BehaviorsPathFilenameFilter
/boot/efi
/boot
/mnt
/
1
0
2
3
4
5
6
7
8
9
10
11
12
15
18
19
20
33
39
50
54
63
100
65534
22
35
999
36
998
190
997
81
996
995
74
994
59
993
992
991
1000
990
989
988
987
986
172
985
984
983
no value.*oval:ssg-state_file_permissions_ungroupowned_local_group_owner:ste:1
Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user medium

Ensure All Files Are Owned by a User

Rule IDxccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_files_unowned_by_user:def:1
Time2024-08-21T12:35:19+00:00
Severitymedium
References:
cis-csc11, 12, 13, 14, 15, 16, 18, 3, 5, 9
cobit5APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06
disaCCI-000366, CCI-002165
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
anssiR53
cis6.1.10
pcidss42.2.6
stigrefSV-257931r925780_rule
Description
If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid user using the following command:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
Rationale
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings
warning  For this rule to evaluate centralized user accounts, getent must be working properly so that running the command
getent passwd
returns a list of all users in your organization. If using the System Security Services Daemon (SSSD),
enumerate = true
must be configured in your organization's domain to return a complete list of users
warning  This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of files present on the system. It is not a problem in most cases, but especially systems with a large number of files can be affected. See https://access.redhat.com/articles/6999111.
OVAL test results details

there are no files without a known owner  oval:ssg-test_no_files_unowned_by_user:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_files_unowned_by_user:obj:1 of type file_object
BehaviorsPathFilenameFilter
1
2
3
4
5
6
7
8
11
12
14
65534
999
81
998
0
74
997
59
996
991
1000
990
989
988
987
172
986
985
984
/
/boot/efi
/boot
/mnt
no value.*oval:ssg-state_no_files_unowned_by_user_uids_list:ste:1
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled medium

Disable the Automounter

Rule IDxccdf_org.ssgproject.content_rule_service_autofs_disabled
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.4.6
disaCCI-000366, CCI-000778, CCI-001958
hipaa164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6
iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-7(a), CM-7(b), CM-6(a), MP-7
nist-csfPR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7
os-srgSRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
stigrefSV-257849r925534_rule
Description
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
Rationale
Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled low

Disable Mounting of cramfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_cramfs_disabled:def:1
Time2024-08-21T12:38:57+00:00
Severitylow
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
cui3.4.6
disaCCI-000381
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1, PR.PT-3
os-srgSRG-OS-000095-GPOS-00049
stigrefSV-257880r942957_rule
Description
To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the server.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /etc/modprobe.d/cramfs.conf: No such file or directory
OVAL test results details

kernel module cramfs blacklisted  oval:ssg-test_kernmod_cramfs_blacklisted:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_blacklisted:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^blacklist\s+cramfs$1

kernel module cramfs disabled  oval:ssg-test_kernmod_cramfs_disabled:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled medium

Disable Modprobe Loading of USB Storage Driver

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_usb-storage_disabled:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.1.21
disaCCI-000366, CCI-000778, CCI-001958
hipaa164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6
iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-7(a), CM-7(b), CM-6(a), MP-7
nist-csfPR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7
os-srgSRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
app-srg-ctrSRG-APP-000141-CTR-000315
cis1.1.9
pcidss43.4.2
stigrefSV-258034r926089_rule
Description
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
Rationale
USB storage devices such as thumb drives can be used to introduce malicious software.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /etc/modprobe.d/usb-storage.conf: No such file or directory
OVAL test results details

kernel module usb-storage blacklisted  oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^blacklist\s+usb-storage$1

kernel module usb-storage disabled  oval:ssg-test_kernmod_usb-storage_disabled:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d
/etc/modules-load.d
/run/modprobe.d
/run/modules-load.d
/usr/lib/modprobe.d
/usr/lib/modules-load.d
^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1
Add nosuid Option to /boot/efixccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid medium

Add nosuid Option to /boot/efi

Rule IDxccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_boot_efi_nosuid:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6(b), CM-6.1(iv)
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257862r925573_rule
Description
The nosuid mount option can be used to prevent execution of setuid programs in /boot/efi. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot/efi.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

nosuid on /boot/efi   oval:ssg-test_boot_efi_partition_nosuid_optional:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
false/boot/efi/dev/sda16BDD-84EAvfatrwrelatimefmask=0077dmask=0077codepage=437iocharset=asciishortname=winnterrors=remount-robind50574358746987

/boot/efi exists  oval:ssg-test_boot_efi_partition_nosuid_optional_exist:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
not evaluated/boot/efi/dev/sda16BDD-84EAvfatrwrelatimefmask=0077dmask=0077codepage=437iocharset=asciishortname=winnterrors=remount-robind50574358746987

nosuid on /boot/efi in /etc/fstab  oval:ssg-test_boot_efi_partition_nosuid_optional_in_fstab:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/fstabUUID=6BDD-84EA /boot/efi vfat defaults,uid=0,gid=0,umask=077,shortname=winnt

/boot/efi exists in /etc/fstab  oval:ssg-test_boot_efi_partition_nosuid_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/fstabUUID=6BDD-84EA /boot/efi vfat defaults,uid=0,gid=0,umask=077,shortname=winnt
Add nodev Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nodev medium

Add nodev Option to /boot

Rule IDxccdf_org.ssgproject.content_rule_mount_option_boot_nodev
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_boot_nodev:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
stigrefSV-257860r925567_rule
Description
The nodev mount option can be used to prevent device files from being created in /boot. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /boot.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

nodev on /boot   oval:ssg-test_boot_partition_nodev_optional:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
false/boot/dev/sda29dd560e5-b943-4e7f-b05f-e79021d9b117xfsrwseclabelrelatimeattr2inode64logbufs=8logbsize=32knoquotabind239616109048130568

/boot exists  oval:ssg-test_boot_partition_nodev_optional_exist:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
not evaluated/boot/dev/sda29dd560e5-b943-4e7f-b05f-e79021d9b117xfsrwseclabelrelatimeattr2inode64logbufs=8logbsize=32knoquotabind239616109048130568

nodev on /boot in /etc/fstab  oval:ssg-test_boot_partition_nodev_optional_in_fstab:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/fstabUUID=9dd560e5-b943-4e7f-b05f-e79021d9b117 /boot xfs defaults

/boot exists in /etc/fstab  oval:ssg-test_boot_partition_nodev_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/fstabUUID=9dd560e5-b943-4e7f-b05f-e79021d9b117 /boot xfs defaults
Add nosuid Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid medium

Add nosuid Option to /boot

Rule IDxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_boot_nosuid:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
disaCCI-000366
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
anssiR28
stigrefSV-257861r925570_rule
Description
The nosuid mount option can be used to prevent execution of setuid programs in /boot. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

nosuid on /boot   oval:ssg-test_boot_partition_nosuid_optional:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
false/boot/dev/sda29dd560e5-b943-4e7f-b05f-e79021d9b117xfsrwseclabelrelatimeattr2inode64logbufs=8logbsize=32knoquotabind239616109048130568

/boot exists  oval:ssg-test_boot_partition_nosuid_optional_exist:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
not evaluated/boot/dev/sda29dd560e5-b943-4e7f-b05f-e79021d9b117xfsrwseclabelrelatimeattr2inode64logbufs=8logbsize=32knoquotabind239616109048130568

nosuid on /boot in /etc/fstab  oval:ssg-test_boot_partition_nosuid_optional_in_fstab:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/fstabUUID=9dd560e5-b943-4e7f-b05f-e79021d9b117 /boot xfs defaults

/boot exists in /etc/fstab  oval:ssg-test_boot_partition_nosuid_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/fstabUUID=9dd560e5-b943-4e7f-b05f-e79021d9b117 /boot xfs defaults
Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev medium

Add nodev Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_nodev:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc11, 13, 14, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06
disaCCI-001764
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.8.2
stigrefSV-257863r925576_rule
Description
The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

nodev on /dev/shm   oval:ssg-test_dev_shm_partition_nodev_expected:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
true/dev/shmtmpfstmpfsrwseclabelnosuidnodevinode649821760982176

/dev/shm exists  oval:ssg-test_dev_shm_partition_nodev_expected_exist:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
not evaluated/dev/shmtmpfstmpfsrwseclabelnosuidnodevinode649821760982176

nodev on /dev/shm in /etc/fstab  oval:ssg-test_dev_shm_partition_nodev_expected_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_nodev_expected_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+)1
Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec medium

Add noexec Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_noexec:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc11, 13, 14, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06
disaCCI-001764
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.8.3
stigrefSV-257864r925579_rule
Description
The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

noexec on /dev/shm   oval:ssg-test_dev_shm_partition_noexec_expected:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
false/dev/shmtmpfstmpfsrwseclabelnosuidnodevinode649821760982176

/dev/shm exists  oval:ssg-test_dev_shm_partition_noexec_expected_exist:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
not evaluated/dev/shmtmpfstmpfsrwseclabelnosuidnodevinode649821760982176

noexec on /dev/shm in /etc/fstab  oval:ssg-test_dev_shm_partition_noexec_expected_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_noexec_expected_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+)1
Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid medium

Add nosuid Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_nosuid:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc11, 13, 14, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06
disaCCI-001764
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.8.4
stigrefSV-257865r925582_rule
Description
The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

nosuid on /dev/shm   oval:ssg-test_dev_shm_partition_nosuid_expected:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
true/dev/shmtmpfstmpfsrwseclabelnosuidnodevinode649821760982176

/dev/shm exists  oval:ssg-test_dev_shm_partition_nosuid_expected_exist:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
not evaluated/dev/shmtmpfstmpfsrwseclabelnosuidnodevinode649821760982176

nosuid on /dev/shm in /etc/fstab  oval:ssg-test_dev_shm_partition_nosuid_expected_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_nosuid_expected_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+)1
Add nodev Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nodev unknown

Add nodev Option to /home

Rule IDxccdf_org.ssgproject.content_rule_mount_option_home_nodev
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severityunknown
References:
os-srgSRG-OS-000368-GPOS-00154
cis1.1.7.2
stigrefSV-257850r925537_rule
Description
The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Add noexec Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_noexec medium

Add noexec Option to /home

Rule IDxccdf_org.ssgproject.content_rule_mount_option_home_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_home_noexec:def:1
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6(b)
os-srgSRG-OS-000480-GPOS-00227
anssiR28
stigrefSV-257852r925543_rule
Description
The noexec mount option can be used to prevent binaries from being executed out of /home. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /home.
Rationale
The /home directory contains data of individual users. Binaries in this directory should not be considered as trusted and users should not be able to execute them.
OVAL test results details

noexec on /home   oval:ssg-test_home_partition_noexec_optional:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_home_partition_noexec_optional:obj:1 of type partition_object
Mount point
/home

/home exists  oval:ssg-test_home_partition_noexec_optional_exist:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_home_partition_noexec_optional:obj:1 of type partition_object
Mount point
/home

noexec on /home in /etc/fstab  oval:ssg-test_home_partition_noexec_optional_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_home_partition_noexec_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+)1

/home exists in /etc/fstab  oval:ssg-test_home_partition_noexec_optional_exist_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_home_partition_noexec_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+)1
Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid medium

Add nosuid Option to /home

Rule IDxccdf_org.ssgproject.content_rule_mount_option_home_nosuid
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
cis-csc11, 13, 14, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06
disaCCI-000366
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
anssiR28
cis1.1.7.3
stigrefSV-257851r925540_rule
Description
The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.
Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions medium

Add nodev Option to Non-Root Local Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_nodev_nonroot_local_partitions:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
disaCCI-000366
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
anssiR28
stigrefSV-257881r925630_rule
Description
The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions.
Rationale
The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

nodev on local filesystems  oval:ssg-test_nodev_nonroot_local_partitions:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
true/boot/efi/dev/sda16BDD-84EAvfatrwrelatimefmask=0077dmask=0077codepage=437iocharset=asciishortname=winnterrors=remount-robind50574358746987
true/boot/dev/sda29dd560e5-b943-4e7f-b05f-e79021d9b117xfsrwseclabelrelatimeattr2inode64logbufs=8logbsize=32knoquotabind239616109048130568
true/mnt/dev/sdb19760ea26-9e06-420f-a1d7-cc4d5eaf5b07ext4rwseclabelrelatimebind410031974100312
Add nodev Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions medium

Add nodev Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_nodev_removable_partitions:def:1
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
cis-csc11, 12, 13, 14, 16, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06
disaCCI-000366
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257858r925561_rule
Description
The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems.
OVAL test results details

Check if expected removable partitions truly exist on the system  oval:ssg-test_removable_partition_doesnt_exist:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type file_object
Filepath
/dev/cdrom

Check if removable partition variable value represents CD/DVD drive  oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-var_removable_partition:var:1/dev/cdrom

'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  oval:ssg-test_nodev_etc_fstab_cd_dvd_drive:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_nodev_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

'CD/DVD drive is not listed in /etc/fstab  oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

Check if removable partition is configured with 'nodev' mount option in /etc/fstab  oval:ssg-test_nodev_etc_fstab_not_cd_dvd_drive:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
Add noexec Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions medium

Add noexec Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_noexec_removable_partitions:def:1
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
cis-csc11, 12, 13, 14, 16, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06
disaCCI-000087, CCI-000366
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257857r925558_rule
Description
The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
Rationale
Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.
OVAL test results details

Check if expected removable partitions truly exist on the system  oval:ssg-test_removable_partition_doesnt_exist:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type file_object
Filepath
/dev/cdrom

Check if removable partition variable value represents CD/DVD drive  oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-var_removable_partition:var:1/dev/cdrom

'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  oval:ssg-test_noexec_etc_fstab_cd_dvd_drive:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_noexec_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

'CD/DVD drive is not listed in /etc/fstab  oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

Check if removable partition is configured with 'noexec' mount option in /etc/fstab  oval:ssg-test_noexec_etc_fstab_not_cd_dvd_drive:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions medium

Add nosuid Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_nosuid_removable_partitions:def:1
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
cis-csc11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9
cobit5APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06
disaCCI-000366
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257859r925564_rule
Description
The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.
OVAL test results details

Check if expected removable partitions truly exist on the system  oval:ssg-test_removable_partition_doesnt_exist:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type file_object
Filepath
/dev/cdrom

Check if removable partition variable value represents CD/DVD drive  oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-var_removable_partition:var:1/dev/cdrom

'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  oval:ssg-test_nosuid_etc_fstab_cd_dvd_drive:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

'CD/DVD drive is not listed in /etc/fstab  oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

Check if removable partition is configured with 'nosuid' mount option in /etc/fstab  oval:ssg-test_nosuid_etc_fstab_not_cd_dvd_drive:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev medium

Add nodev Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
cis-csc11, 13, 14, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06
disaCCI-001764
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.2.2
stigrefSV-257866r925585_rule
Description
The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec medium

Add noexec Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
cis-csc11, 13, 14, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06
disaCCI-001764
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
anssiR28
cis1.1.2.3
stigrefSV-257867r925588_rule
Description
The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.
Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid medium

Add nosuid Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
cis-csc11, 13, 14, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06
disaCCI-001764
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
anssiR28
cis1.1.2.4
stigrefSV-257868r925591_rule
Description
The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
Add nodev Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev medium

Add nodev Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.6.3
stigrefSV-257873r925606_rule
Description
The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Add noexec Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec medium

Add noexec Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.6.2
stigrefSV-257874r925609_rule
Description
The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise.
Add nosuid Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid medium

Add nosuid Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.6.4
stigrefSV-257875r925612_rule
Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.
Add nodev Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev medium

Add nodev Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.5.2
stigrefSV-257870r925597_rule
Description
The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec medium

Add noexec Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
anssiR28
cis1.1.5.3
stigrefSV-257871r925600_rule
Description
The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
Allowing users to execute binaries from directories containing log files such as /var/log should never be necessary in normal operation and can expose the system to potential compromise.
Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid medium

Add nosuid Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
anssiR28
cis1.1.5.4
stigrefSV-257872r925603_rule
Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.
Add nodev Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nodev medium

Add nodev Option to /var

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_nodev
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000368-GPOS-00154
cis1.1.3.2
stigrefSV-257869r925594_rule
Description
The nodev mount option can be used to prevent device files from being created in /var. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Add nodev Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev medium

Add nodev Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
os-srgSRG-OS-000368-GPOS-00154
cis1.1.4.4
stigrefSV-257876r925615_rule
Description
The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec medium

Add noexec Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
os-srgSRG-OS-000368-GPOS-00154
anssiR28
cis1.1.4.2
stigrefSV-257877r925618_rule
Description
The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise.
Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid medium

Add nosuid Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:53+00:00
Severitymedium
References:
disaCCI-001764
os-srgSRG-OS-000368-GPOS-00154
anssiR28
cis1.1.4.3
stigrefSV-257878r925621_rule
Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled medium

Disable acquiring, saving, and processing core dumps

Rule IDxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-service_systemd-coredump_disabled:def:1
Time2024-08-21T12:38:59+00:00
Severitymedium
References:
disaCCI-000366
nistSC-7(10)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257815r925432_rule
Description
The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Created symlink /etc/systemd/system/systemd-coredump.socket → /dev/null.
OVAL test results details

Test that the property LoadState from the systemd-coredump.socket is masked  oval:ssg-test_socket_loadstate_is_masked_systemd-coredump:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
falsesystemd-coredump.socketLoadStateloaded
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces medium

Disable core dump backtraces

Rule IDxccdf_org.ssgproject.content_rule_coredump_disable_backtraces
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-coredump_disable_backtraces:def:1
Time2024-08-21T12:35:54+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6
osppFMT_SMF_EXT.1
pcidssReq-3.2
os-srgSRG-OS-000480-GPOS-00227
cis1.5.2
pcidss43.3.1.1
stigrefSV-257812r925423_rule
Description
The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
Warnings
warning  If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.
OVAL test results details

tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file  oval:ssg-test_coredump_disable_backtraces:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/systemd/coredump.conf [Coredump] #Storage=external #Compress=yes #ProcessSizeMax=2G #ExternalSizeMax=2G #JournalSizeMax=767M #MaxUse= #KeepFree= # BEGIN Ansible managed Storage setting Storage=none # END Ansible managed Storage setting # BEGIN Ansible managed ProcessSize setting ProcessSizeMax=0

tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf.d file  oval:ssg-test_coredump_disable_backtraces_config_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/systemd/coredump.conf.d.*\.conf$^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)1
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage medium

Disable storing core dump

Rule IDxccdf_org.ssgproject.content_rule_coredump_disable_storage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-coredump_disable_storage:def:1
Time2024-08-21T12:35:54+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6
osppFMT_SMF_EXT.1
pcidssReq-3.2
os-srgSRG-OS-000480-GPOS-00227
cis1.5.1
pcidss43.3.1.1
stigrefSV-257813r925426_rule
Description
The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
Warnings
warning  If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.
OVAL test results details

tests the value of Storage setting in the /etc/systemd/coredump.conf file  oval:ssg-test_coredump_disable_storage:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/systemd/coredump.conf [Coredump] #Storage=external #Compress=yes #ProcessSizeMax=2G #ExternalSizeMax=2G #JournalSizeMax=767M #MaxUse= #KeepFree= # BEGIN Ansible managed Storage setting Storage=none

tests the value of Storage setting in the /etc/systemd/coredump.conf.d file  oval:ssg-test_coredump_disable_storage_config_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/systemd/coredump.conf.d.*\.conf$^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)1
Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps medium

Disable Core Dumps for All Users

Rule IDxccdf_org.ssgproject.content_rule_disable_users_coredumps
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_users_coredumps:def:1
Time2024-08-21T12:38:59+00:00
Severitymedium
References:
cis-csc1, 12, 13, 15, 16, 2, 7, 8
cobit5APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07
disaCCI-000366
isa-62443-2013SR 6.2, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.17.2.1
nistCM-6, SC-7(10)
nist-csfDE.CM-1, PR.DS-4
os-srgSRG-OS-000480-GPOS-00227
pcidss43.3.1.1
stigrefSV-257814r925429_rule
Description
To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:
*     hard   core    0
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory  oval:ssg-test_core_dumps_limits_d:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/security/limits.d^.*\.conf$^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)1

Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory  oval:ssg-test_core_dumps_limits_d_exists:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/security/limits.d^.*\.conf$^[\s]*\*[\s]+(?:hard|-)[\s]+core1

Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file  oval:ssg-test_core_dumps_limitsconf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limitsconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/security/limits.conf^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)1
Enable ExecShield via sysctlxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield medium

Enable ExecShield via sysctl

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_exec_shield:def:1
Time2024-08-21T12:35:54+00:00
Severitymedium
References:
cis-csc12, 15, 8
cobit5APO13.01, DSS05.02
cui3.1.7
disaCCI-002530
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.13.1.1, A.13.2.1, A.14.1.3
nistSC-39, CM-6(a)
nist-csfPR.PT-4
os-srgSRG-OS-000433-GPOS-00192
stigrefSV-257817r925438_rule
Description
By default on Red Hat Enterprise Linux 9 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub.
Rationale
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.
OVAL test results details

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

NX is disabled  oval:ssg-test_nx_disabled_grub:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_nx_disabled_grub:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/grub2/grub.cfg[\s]*noexec[\s]*=[\s]*off1
Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict medium

Restrict Exposed Kernel Pointer Addresses Access

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_kptr_restrict:def:1
Time2024-08-21T12:35:54+00:00
Severitymedium
References:
disaCCI-002824, CCI-000366
nerc-cipCIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4
nistSC-30, SC-30(2), SC-30(5), CM-6(a)
os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227
anssiR9
stigrefSV-257800r942971_rule
Description
To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.kptr_restrict=1
                  
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kptr_restrict = 1
                  
Rationale
Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallow any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with 0.
OVAL test results details

kernel.kptr_restrict static configuration  oval:ssg-test_sysctl_kernel_kptr_restrict_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kptr_restrict:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kptr_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1

kernel.kptr_restrict static configuration  oval:ssg-test_sysctl_kernel_kptr_restrict_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kptr_restrict:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kptr_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1

kernel.kptr_restrict static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kptr_restrict_static_pkg_correct:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/usr/lib/sysctl.d/50-redhat.confkernel.kptr_restrict = 1

kernel runtime parameter kernel.kptr_restrict set to 1 or 2  oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truekernel.kptr_restrict1
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space medium

Enable Randomized Layout of Virtual Address Space

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_randomize_va_space:def:1
Time2024-08-21T12:38:59+00:00
Severitymedium
References:
cui3.1.7
disaCCI-000366, CCI-002824
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
nerc-cipCIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4
nistSC-30, SC-30(2), CM-6(a)
pcidssReq-2.2.1
os-srgSRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227
app-srg-ctrSRG-APP-000450-CTR-001105
anssiR9
cis1.5.3
pcidss43.3.1.1
stigrefSV-257809r942975_rule
Description
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.randomize_va_space = 2
Rationale
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

kernel.randomize_va_space static configuration  oval:ssg-test_sysctl_kernel_randomize_va_space_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1

kernel.randomize_va_space static configuration  oval:ssg-test_sysctl_kernel_randomize_va_space_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1

kernel.randomize_va_space static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_randomize_va_space_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter kernel.randomize_va_space set to 2  oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truekernel.randomize_va_space2
Enable page allocator poisoningxccdf_org.ssgproject.content_rule_grub2_page_poison_argument medium

Enable page allocator poisoning

Rule IDxccdf_org.ssgproject.content_rule_grub2_page_poison_argument
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_page_poison_argument:def:1
Time2024-08-21T12:38:59+00:00
Severitymedium
References:
disaCCI-001084
nistCM-6(a)
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
anssiR8
stigrefSV-257793r925366_rule
Description
To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system. To ensure that page_poison=1 is added as a kernel command line argument to newly installed kernels, add page_poison=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
Rationale
Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check kernel command line parameters for page_poison=1 for all boot entries.  oval:ssg-test_grub2_page_poison_entries:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-5.14.0-362.8.1.el9_3.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-5.14.0-427.28.1.el9_4.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root

check for page_poison=1 in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_page_poison_argument:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/default/grubGRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root"

check for page_poison=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_page_poison_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_page_poison_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Enable SLUB/SLAB allocator poisoningxccdf_org.ssgproject.content_rule_grub2_slub_debug_argument medium

Enable SLUB/SLAB allocator poisoning

Rule IDxccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_slub_debug_argument:def:1
Time2024-08-21T12:39:00+00:00
Severitymedium
References:
disaCCI-001084
nistCM-6(a)
os-srgSRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068
anssiR8
stigrefSV-257794r952164_rule
Description
To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to the default GRUB 2 command line for the Linux operating system. To ensure that slub_debug=P is added as a kernel command line argument to newly installed kernels, add slub_debug=P to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... slub_debug=P ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug=P"
Rationale
Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check kernel command line parameters for slub_debug for all boot entries.  oval:ssg-test_grub2_slub_debug_entries:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-5.14.0-362.8.1.el9_3.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-5.14.0-427.28.1.el9_4.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root

check for slub_debug in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_slub_debug_argument:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/default/grubGRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root"

check for slub_debug in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_slub_debug_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_slub_debug_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern medium

Disable storing core dumps

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_core_pattern:def:1
Time2024-08-21T12:38:57+00:00
Severitymedium
References:
disaCCI-000366
nistSC-7(10)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000480-GPOS-00227
pcidss43.3.1.1
stigrefSV-257803r942973_rule
Description
To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:
$ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.core_pattern = |/bin/false
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

kernel.core_pattern static configuration  oval:ssg-test_sysctl_kernel_core_pattern_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_core_pattern:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_core_pattern:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern:obj:1

kernel.core_pattern static configuration  oval:ssg-test_sysctl_kernel_core_pattern_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_core_pattern:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_core_pattern:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern:obj:1

kernel.core_pattern static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_core_pattern_static_pkg_correct:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/usr/lib/sysctl.d/50-coredump.confkernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h

kernel runtime parameter kernel.core_pattern set to |/bin/false  oval:ssg-test_sysctl_kernel_core_pattern_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsekernel.core_pattern|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict low

Restrict Access to Kernel Message Buffer

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_dmesg_restrict:def:1
Time2024-08-21T12:38:57+00:00
Severitylow
References:
cui3.1.5
disaCCI-001090, CCI-001314
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
nistSI-11(a), SI-11(b)
os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
app-srg-ctrSRG-APP-000243-CTR-000600
anssiR9
stigrefSV-257797r942965_rule
Description
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.dmesg_restrict = 1
Rationale
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

kernel.dmesg_restrict static configuration  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1

kernel.dmesg_restrict static configuration  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1

kernel.dmesg_restrict static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter kernel.dmesg_restrict set to 1  oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsekernel.dmesg_restrict0
Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled medium

Disable Kernel Image Loading

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_kexec_load_disabled:def:1
Time2024-08-21T12:38:58+00:00
Severitymedium
References:
disaCCI-001749
nistCM-6
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153
stigrefSV-257799r942969_rule
Description
To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kexec_load_disabled = 1
Rationale
Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

kernel.kexec_load_disabled static configuration  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kexec_load_disabled:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1

kernel.kexec_load_disabled static configuration  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kexec_load_disabled:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1

kernel.kexec_load_disabled static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter kernel.kexec_load_disabled set to 1  oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsekernel.kexec_load_disabled0
Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid low

Disallow kernel profiling by unprivileged users

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_perf_event_paranoid:def:1
Time2024-08-21T12:38:58+00:00
Severitylow
References:
disaCCI-001090
nistAC-6
osppFMT_SMF_EXT.1
os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
app-srg-ctrSRG-APP-000243-CTR-000600
anssiR9
stigrefSV-257798r942967_rule
Description
To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command:
$ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.perf_event_paranoid = 2
Rationale
Kernel profiling can reveal sensitive information about kernel behaviour.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

kernel.perf_event_paranoid static configuration  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_perf_event_paranoid:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_perf_event_paranoid:obj:1

kernel.perf_event_paranoid static configuration  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_perf_event_paranoid:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_perf_event_paranoid:obj:1

kernel.perf_event_paranoid static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter kernel.perf_event_paranoid set to 2  oval:ssg-test_sysctl_kernel_perf_event_paranoid_runtime:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameValue
truekernel.perf_event_paranoid2
Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled medium

Disable Access to Network bpf() Syscall From Unprivileged Processes

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1
Time2024-08-21T12:38:58+00:00
Severitymedium
References:
disaCCI-000366
nistAC-6, SC-7(10)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
anssiR9
stigrefSV-257810r952168_rule
Description
To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 1
Rationale
Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

kernel.unprivileged_bpf_disabled static configuration  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1

kernel.unprivileged_bpf_disabled static configuration  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1

kernel.unprivileged_bpf_disabled static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsekernel.unprivileged_bpf_disabled2
Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope medium

Restrict usage of ptrace to descendant processes

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_yama_ptrace_scope:def:1
Time2024-08-21T12:38:58+00:00
Severitymedium
References:
disaCCI-000366
nistSC-7(10)
os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
anssiR11
stigrefSV-257811r942979_rule
Description
To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:
$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.yama.ptrace_scope = 1
Rationale
Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

kernel.yama.ptrace_scope static configuration  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1

kernel.yama.ptrace_scope static configuration  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1

kernel.yama.ptrace_scope static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_pkg_correct:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/usr/lib/sysctl.d/10-default-yama-scope.confkernel.yama.ptrace_scope = 0

kernel runtime parameter kernel.yama.ptrace_scope set to 1  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsekernel.yama.ptrace_scope0
Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden medium

Harden the operation of the BPF just-in-time compiler

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_core_bpf_jit_harden:def:1
Time2024-08-21T12:38:58+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6, SC-7(10)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000480-GPOS-00227
anssiR12
stigrefSV-257942r925813_rule
Description
To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:
$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.core.bpf_jit_harden = 2
Rationale
When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in /proc/kallsyms.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

net.core.bpf_jit_harden static configuration  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_core_bpf_jit_harden:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1

net.core.bpf_jit_harden static configuration  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_core_bpf_jit_harden:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1

net.core.bpf_jit_harden static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter net.core.bpf_jit_harden set to 2  oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falsenet.core.bpf_jit_harden1
Disable the use of user namespacesxccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces medium

Disable the use of user namespaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_user_max_user_namespaces:def:1
Time2024-08-21T12:38:58+00:00
Severitymedium
References:
disaCCI-000366
nistSC-39, CM-6(a)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257816r942981_rule
Description
To set the runtime status of the user.max_user_namespaces kernel parameter, run the following command:
$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set to large non-zero value.
Rationale
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces.
Warnings
warning  This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, it is expected that user.max_user_namespaces will be enabled.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
OVAL test results details

user.max_user_namespaces static configuration  oval:ssg-test_sysctl_user_max_user_namespaces_static_user:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_user_max_user_namespaces:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_user_max_user_namespaces:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_user_max_user_namespaces:obj:1

user.max_user_namespaces static configuration  oval:ssg-test_sysctl_user_max_user_namespaces_static_user_missing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_user_max_user_namespaces:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_lib_sysctls_sysctl_user_max_user_namespaces:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_user_max_user_namespaces:obj:1

user.max_user_namespaces static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_user_max_user_namespaces_static_pkg_correct:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_user_max_user_namespaces:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/sysctl.d^.*\.conf$^[\s]*user.max_user_namespaces[\s]*=[\s]*(.*)[\s]*$1

kernel runtime parameter user.max_user_namespaces set to 0  oval:ssg-test_sysctl_user_max_user_namespaces_runtime:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameValue
falseuser.max_user_namespaces30404
Install policycoreutils-python-utils packagexccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed medium

Install policycoreutils-python-utils package

Rule IDxccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_policycoreutils-python-utils_installed:def:1
Time2024-08-21T12:35:54+00:00
Severitymedium
References:
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258082r926233_rule
Description
The policycoreutils-python-utils package can be installed with the following command:
$ sudo dnf install policycoreutils-python-utils
Rationale
This package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.
OVAL test results details

package policycoreutils-python-utils is installed  oval:ssg-test_package_policycoreutils-python-utils_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedpolicycoreutils-python-utilsnoarch(none)2.1.el93.60:3.6-2.1.el90policycoreutils-python-utils-0:3.6-2.1.el9.noarch
Install policycoreutils Packagexccdf_org.ssgproject.content_rule_package_policycoreutils_installed low

Install policycoreutils Package

Rule IDxccdf_org.ssgproject.content_rule_package_policycoreutils_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_policycoreutils_installed:def:1
Time2024-08-21T12:35:54+00:00
Severitylow
References:
disaCCI-001084
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
stigrefSV-258081r926230_rule
Description
The policycoreutils package can be installed with the following command:
$ sudo dnf install policycoreutils
Rationale
Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfiles to label filesystems, newrole to switch roles, and so on.
OVAL test results details

package policycoreutils is installed  oval:ssg-test_package_policycoreutils_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedpolicycoreutilsx86_64(none)2.1.el93.60:3.6-2.1.el90policycoreutils-0:3.6-2.1.el9.x86_64
Ensure No Device Files are Unlabeled by SELinuxxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled medium

Ensure No Device Files are Unlabeled by SELinux

Rule IDxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-selinux_all_devicefiles_labeled:def:1
Time2024-08-21T12:35:54+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 5, 6, 7, 8, 9
cobit5APO01.06, APO11.04, BAI01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01
cui3.1.2, 3.1.5, 3.7.2
disaCCI-000022, CCI-000032, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814
isa-62443-20094.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 6.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6
nist-csfDE.CM-1, DE.CM-7, PR.AC-4, PR.DS-5, PR.IP-1, PR.IP-3, PR.PT-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257932r925783_rule
Description
Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type device_t or unlabeled_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.
Rationale
If a device file carries the SELinux type device_t or unlabeled_t, then SELinux cannot properly restrict access to the device file.
Warnings
warning  Automatic remediation of this control is not available. The remediation can be achieved by amending SELinux policy.
OVAL test results details

device_t in /dev  oval:ssg-test_selinux_dev_device_t:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_dev_device_t:obj:1 of type selinuxsecuritycontext_object
FilepathFilter
/dev/vmbus/hv_kvp
/dev/snd/seq
/dev/vhost-vsock
/dev/vhost-net
/dev/vhci
/dev/vfio/vfio
/dev/uinput
/dev/dm-0
/dev/fb0
/dev/dri/card0
/dev/sda5
/dev/sda3
/dev/sda2
/dev/sda1
/dev/uhid
/dev/net/tun
/dev/loop-control
/dev/fuse
/dev/cpu_dma_latency
/dev/mcelog
/dev/rtc0
/dev/input/event2
/dev/usbmon0
/dev/udmabuf
/dev/nvram
/dev/hpet
/dev/ttyS3
/dev/ttyS2
/dev/ttyS1
/dev/ttyS0
/dev/ptmx
/dev/autofs
/dev/userfaultfd
/dev/snapshot
/dev/hwrng
/dev/tty63
/dev/tty62
/dev/tty61
/dev/tty60
/dev/tty59
/dev/tty58
/dev/tty57
/dev/tty56
/dev/tty55
/dev/tty54
/dev/tty53
/dev/tty52
/dev/tty51
/dev/tty50
/dev/tty49
/dev/tty48
/dev/tty47
/dev/tty46
/dev/tty45
/dev/tty44
/dev/tty43
/dev/tty42
/dev/tty41
/dev/tty40
/dev/tty39
/dev/tty38
/dev/tty37
/dev/tty36
/dev/tty35
/dev/tty34
/dev/tty33
/dev/tty32
/dev/tty31
/dev/tty30
/dev/tty29
/dev/tty28
/dev/tty27
/dev/tty26
/dev/tty25
/dev/tty24
/dev/tty23
/dev/tty22
/dev/tty21
/dev/tty20
/dev/tty19
/dev/tty18
/dev/tty17
/dev/tty16
/dev/tty15
/dev/tty14
/dev/tty13
/dev/tty12
/dev/tty11
/dev/tty10
/dev/tty9
/dev/tty8
/dev/tty7
/dev/tty6
/dev/tty5
/dev/tty4
/dev/tty3
/dev/tty2
/dev/tty1
/dev/vcsa1
/dev/vcsu1
/dev/vcs1
/dev/vcsa
/dev/vcsu
/dev/tty0
/dev/console
/dev/kmsg
/dev/urandom
/dev/ptp1
/dev/vcsa6
/dev/vcsu6
/dev/vcs6
/dev/isst_interface
/dev/kvm
/dev/random
/dev/full
/dev/zero
/dev/port
/dev/null
/dev/vga_arbiter
/dev/ptp0
/dev/snd/timer
/dev/ppp
/dev/infiniband/uverbs0
/dev/bsg/0:0:0:1
/dev/sda4
/dev/sdb
/dev/sdb1
/dev/sda
/dev/sg1
/dev/sg0
/dev/bsg/0:0:0:0
/dev/rfkill
/dev/cpu/1/cpuid
/dev/mapper/control
/dev/pts/ptmx
/dev/pts/0
/dev/dma_heap/system
/dev/input/js0
/dev/input/event1
/dev/input/mouse0
/dev/input/event0
/dev/input/mice
/dev/cpu/0/cpuid
/dev/cpu/1/msr
/dev/cpu/0/msr
/dev/vcs
/dev/tty
/dev/mem
oval:ssg-state_selinux_dev_device_t:ste:1

unlabeled_t in /dev  oval:ssg-test_selinux_dev_unlabeled_t:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_dev_unlabeled_t:obj:1 of type selinuxsecuritycontext_object
FilepathFilter
/dev/vmbus/hv_kvp
/dev/snd/seq
/dev/vhost-vsock
/dev/vhost-net
/dev/vhci
/dev/vfio/vfio
/dev/uinput
/dev/dm-0
/dev/fb0
/dev/dri/card0
/dev/sda5
/dev/sda3
/dev/sda2
/dev/sda1
/dev/uhid
/dev/net/tun
/dev/loop-control
/dev/fuse
/dev/cpu_dma_latency
/dev/mcelog
/dev/rtc0
/dev/input/event2
/dev/usbmon0
/dev/udmabuf
/dev/nvram
/dev/hpet
/dev/ttyS3
/dev/ttyS2
/dev/ttyS1
/dev/ttyS0
/dev/ptmx
/dev/autofs
/dev/userfaultfd
/dev/snapshot
/dev/hwrng
/dev/tty63
/dev/tty62
/dev/tty61
/dev/tty60
/dev/tty59
/dev/tty58
/dev/tty57
/dev/tty56
/dev/tty55
/dev/tty54
/dev/tty53
/dev/tty52
/dev/tty51
/dev/tty50
/dev/tty49
/dev/tty48
/dev/tty47
/dev/tty46
/dev/tty45
/dev/tty44
/dev/tty43
/dev/tty42
/dev/tty41
/dev/tty40
/dev/tty39
/dev/tty38
/dev/tty37
/dev/tty36
/dev/tty35
/dev/tty34
/dev/tty33
/dev/tty32
/dev/tty31
/dev/tty30
/dev/tty29
/dev/tty28
/dev/tty27
/dev/tty26
/dev/tty25
/dev/tty24
/dev/tty23
/dev/tty22
/dev/tty21
/dev/tty20
/dev/tty19
/dev/tty18
/dev/tty17
/dev/tty16
/dev/tty15
/dev/tty14
/dev/tty13
/dev/tty12
/dev/tty11
/dev/tty10
/dev/tty9
/dev/tty8
/dev/tty7
/dev/tty6
/dev/tty5
/dev/tty4
/dev/tty3
/dev/tty2
/dev/tty1
/dev/vcsa1
/dev/vcsu1
/dev/vcs1
/dev/vcsa
/dev/vcsu
/dev/tty0
/dev/console
/dev/kmsg
/dev/urandom
/dev/ptp1
/dev/vcsa6
/dev/vcsu6
/dev/vcs6
/dev/isst_interface
/dev/kvm
/dev/random
/dev/full
/dev/zero
/dev/port
/dev/null
/dev/vga_arbiter
/dev/ptp0
/dev/snd/timer
/dev/ppp
/dev/infiniband/uverbs0
/dev/bsg/0:0:0:1
/dev/sda4
/dev/sdb
/dev/sdb1
/dev/sda
/dev/sg1
/dev/sg0
/dev/bsg/0:0:0:0
/dev/rfkill
/dev/cpu/1/cpuid
/dev/mapper/control
/dev/pts/ptmx
/dev/pts/0
/dev/dma_heap/system
/dev/input/js0
/dev/input/event1
/dev/input/mouse0
/dev/input/event0
/dev/input/mice
/dev/cpu/0/cpuid
/dev/cpu/1/msr
/dev/cpu/0/msr
/dev/vcs
/dev/tty
/dev/mem
oval:ssg-state_selinux_dev_unlabeled_t:ste:1
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype medium

Configure SELinux Policy

Rule IDxccdf_org.ssgproject.content_rule_selinux_policytype
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-selinux_policytype:def:1
Time2024-08-21T12:35:54+00:00
Severitymedium
References:
bsiAPP.4.4.A4
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
cobit5APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01
cui3.1.2, 3.7.2
disaCCI-002165, CCI-002696
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
isa-62443-20094.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
nistAC-3, AC-3(3)(a), AU-9, SC-7(21)
nist-csfDE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000445-GPOS-00199
app-srg-ctrSRG-APP-000233-CTR-000585
anssiR46, R64
cis1.6.1.3
pcidss41.2.6
stigrefSV-258079r926224_rule
Description
The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
SELINUXTYPE=targeted
              
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Rationale
Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.
OVAL test results details

Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file  oval:ssg-test_selinux_policy:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/selinux/configSELINUXTYPE=targeted
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state high

Ensure SELinux State is Enforcing

Rule IDxccdf_org.ssgproject.content_rule_selinux_state
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-selinux_state:def:1
Time2024-08-21T12:35:54+00:00
Severityhigh
References:
bsiAPP.4.4.A4
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
cobit5APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01
cui3.1.2, 3.7.2
disaCCI-001084, CCI-002165, CCI-002696
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
isa-62443-20094.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
nistAC-3, AC-3(3)(a), AU-9, SC-7(21)
nist-csfDE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068
anssiR37, R79
cis1.6.1.5
pcidss41.2.6
stigrefSV-258078r926221_rule
Description
The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=enforcing
              
Rationale
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
OVAL test results details

/selinux/enforce is 1  oval:ssg-test_etc_selinux_config:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/selinux/configSELINUX=enforcing
Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled medium

Disable KDump Kernel Crash Analyzer (kdump)

Rule IDxccdf_org.ssgproject.content_rule_service_kdump_disabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-service_kdump_disabled:def:1
Time2024-08-21T12:39:01+00:00
Severitymedium
References:
cis-csc11, 12, 14, 15, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disaCCI-000366, CCI-001665
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
osppFMT_SMF_EXT.1.1
os-srgSRG-OS-000269-GPOS-00103, SRG-OS-000480-GPOS-00227
stigrefSV-257818r925441_rule
Description
The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
Rationale
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Removed "/etc/systemd/system/multi-user.target.wants/kdump.service".
Created symlink /etc/systemd/system/kdump.service → /dev/null.
OVAL test results details

package kexec-tools is removed  oval:ssg-service_kdump_disabled_test_service_kdump_package_kexec-tools_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedkexec-toolsx86_64(none)8.el9_4.32.0.270:2.0.27-8.el9_4.30kexec-tools-0:2.0.27-8.el9_4.3.x86_64

Test that the kdump service is not running  oval:ssg-test_service_not_running_service_kdump_disabled_kdump:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
falsekdump.serviceActiveStateactive

Test that the property LoadState from the service kdump is masked  oval:ssg-test_service_loadstate_is_masked_service_kdump_disabled_kdump:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
falsekdump.serviceLoadStateloaded
Verify Group Who Owns cron.dxccdf_org.ssgproject.content_rule_file_groupowner_cron_d medium

Verify Group Who Owns cron.d

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_d
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_d:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.7
pcidss42.2.6
stigrefSV-257927r925768_rule
Description
To properly set the group owner of /etc/cron.d, run the command:
$ sudo chgrp root /etc/cron.d
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.d/  oval:ssg-test_file_groupowner_cron_d_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_d_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dno valueoval:ssg-symlink_file_groupowner_cron_d_uid_0:ste:1oval:ssg-state_file_groupowner_cron_d_gid_0_0:ste:1
Verify Group Who Owns cron.dailyxccdf_org.ssgproject.content_rule_file_groupowner_cron_daily medium

Verify Group Who Owns cron.daily

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_daily
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_daily:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.4
pcidss42.2.6
stigrefSV-257927r925768_rule
Description
To properly set the group owner of /etc/cron.daily, run the command:
$ sudo chgrp root /etc/cron.daily
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.daily/  oval:ssg-test_file_groupowner_cron_daily_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_daily_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dailyno valueoval:ssg-symlink_file_groupowner_cron_daily_uid_0:ste:1oval:ssg-state_file_groupowner_cron_daily_gid_0_0:ste:1
Verify Group Who Owns cron.denyxccdf_org.ssgproject.content_rule_file_groupowner_cron_deny medium

Verify Group Who Owns cron.deny

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_deny
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_deny:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6 b
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257927r925768_rule
Description
To properly set the group owner of /etc/cron.deny, run the command:
$ sudo chgrp root /etc/cron.deny
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.deny  oval:ssg-test_file_groupowner_cron_deny_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_deny_0:obj:1 of type file_object
FilepathFilterFilter
/etc/cron.denyoval:ssg-symlink_file_groupowner_cron_deny_uid_0:ste:1oval:ssg-state_file_groupowner_cron_deny_gid_0_0:ste:1
Verify Group Who Owns cron.hourlyxccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly medium

Verify Group Who Owns cron.hourly

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_hourly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.3
pcidss42.2.6
stigrefSV-257927r925768_rule
Description
To properly set the group owner of /etc/cron.hourly, run the command:
$ sudo chgrp root /etc/cron.hourly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.hourly/  oval:ssg-test_file_groupowner_cron_hourly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_hourly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.hourlyno valueoval:ssg-symlink_file_groupowner_cron_hourly_uid_0:ste:1oval:ssg-state_file_groupowner_cron_hourly_gid_0_0:ste:1
Verify Group Who Owns cron.monthlyxccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly medium

Verify Group Who Owns cron.monthly

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_monthly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.6
pcidss42.2.6
stigrefSV-257927r925768_rule
Description
To properly set the group owner of /etc/cron.monthly, run the command:
$ sudo chgrp root /etc/cron.monthly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.monthly/  oval:ssg-test_file_groupowner_cron_monthly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_monthly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.monthlyno valueoval:ssg-symlink_file_groupowner_cron_monthly_uid_0:ste:1oval:ssg-state_file_groupowner_cron_monthly_gid_0_0:ste:1
Verify Group Who Owns cron.weeklyxccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly medium

Verify Group Who Owns cron.weekly

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_weekly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.5
pcidss42.2.6
stigrefSV-257927r925768_rule
Description
To properly set the group owner of /etc/cron.weekly, run the command:
$ sudo chgrp root /etc/cron.weekly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.weekly/  oval:ssg-test_file_groupowner_cron_weekly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_weekly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.weeklyno valueoval:ssg-symlink_file_groupowner_cron_weekly_uid_0:ste:1oval:ssg-state_file_groupowner_cron_weekly_gid_0_0:ste:1
Verify Group Who Owns Crontabxccdf_org.ssgproject.content_rule_file_groupowner_crontab medium

Verify Group Who Owns Crontab

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_crontab
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_crontab:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.2
pcidss42.2.6
stigrefSV-257927r925768_rule
Description
To properly set the group owner of /etc/crontab, run the command:
$ sudo chgrp root /etc/crontab
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/crontab  oval:ssg-test_file_groupowner_crontab_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_crontab_0:obj:1 of type file_object
FilepathFilterFilter
/etc/crontaboval:ssg-symlink_file_groupowner_crontab_uid_0:ste:1oval:ssg-state_file_groupowner_crontab_gid_0_0:ste:1
Verify Owner on cron.dxccdf_org.ssgproject.content_rule_file_owner_cron_d medium

Verify Owner on cron.d

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_d
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_d:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.7
pcidss42.2.6
stigrefSV-257926r925765_rule
Description
To properly set the owner of /etc/cron.d, run the command:
$ sudo chown root /etc/cron.d 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.d/  oval:ssg-test_file_owner_cron_d_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_d_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dno valueoval:ssg-symlink_file_owner_cron_d_uid_0:ste:1oval:ssg-state_file_owner_cron_d_uid_0_0:ste:1
Verify Owner on cron.dailyxccdf_org.ssgproject.content_rule_file_owner_cron_daily medium

Verify Owner on cron.daily

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_daily
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_daily:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.4
pcidss42.2.6
stigrefSV-257926r925765_rule
Description
To properly set the owner of /etc/cron.daily, run the command:
$ sudo chown root /etc/cron.daily 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.daily/  oval:ssg-test_file_owner_cron_daily_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_daily_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dailyno valueoval:ssg-symlink_file_owner_cron_daily_uid_0:ste:1oval:ssg-state_file_owner_cron_daily_uid_0_0:ste:1
Verify Owner on cron.denyxccdf_org.ssgproject.content_rule_file_owner_cron_deny medium

Verify Owner on cron.deny

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_deny
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_deny:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6 b
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257926r925765_rule
Description
To properly set the owner of /etc/cron.deny, run the command:
$ sudo chown root /etc/cron.deny 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.deny  oval:ssg-test_file_owner_cron_deny_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_deny_0:obj:1 of type file_object
FilepathFilterFilter
/etc/cron.denyoval:ssg-symlink_file_owner_cron_deny_uid_0:ste:1oval:ssg-state_file_owner_cron_deny_uid_0_0:ste:1
Verify Owner on cron.hourlyxccdf_org.ssgproject.content_rule_file_owner_cron_hourly medium

Verify Owner on cron.hourly

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_hourly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_hourly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.3
pcidss42.2.6
stigrefSV-257926r925765_rule
Description
To properly set the owner of /etc/cron.hourly, run the command:
$ sudo chown root /etc/cron.hourly 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.hourly/  oval:ssg-test_file_owner_cron_hourly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_hourly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.hourlyno valueoval:ssg-symlink_file_owner_cron_hourly_uid_0:ste:1oval:ssg-state_file_owner_cron_hourly_uid_0_0:ste:1
Verify Owner on cron.monthlyxccdf_org.ssgproject.content_rule_file_owner_cron_monthly medium

Verify Owner on cron.monthly

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_monthly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_monthly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.6
pcidss42.2.6
stigrefSV-257926r925765_rule
Description
To properly set the owner of /etc/cron.monthly, run the command:
$ sudo chown root /etc/cron.monthly 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.monthly/  oval:ssg-test_file_owner_cron_monthly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_monthly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.monthlyno valueoval:ssg-symlink_file_owner_cron_monthly_uid_0:ste:1oval:ssg-state_file_owner_cron_monthly_uid_0_0:ste:1
Verify Owner on cron.weeklyxccdf_org.ssgproject.content_rule_file_owner_cron_weekly medium

Verify Owner on cron.weekly

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_weekly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_weekly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.5
pcidss42.2.6
stigrefSV-257926r925765_rule
Description
To properly set the owner of /etc/cron.weekly, run the command:
$ sudo chown root /etc/cron.weekly 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.weekly/  oval:ssg-test_file_owner_cron_weekly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_weekly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.weeklyno valueoval:ssg-symlink_file_owner_cron_weekly_uid_0:ste:1oval:ssg-state_file_owner_cron_weekly_uid_0_0:ste:1
Verify Owner on crontabxccdf_org.ssgproject.content_rule_file_owner_crontab medium

Verify Owner on crontab

Rule IDxccdf_org.ssgproject.content_rule_file_owner_crontab
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_crontab:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.2
pcidss42.2.6
stigrefSV-257926r925765_rule
Description
To properly set the owner of /etc/crontab, run the command:
$ sudo chown root /etc/crontab 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/crontab  oval:ssg-test_file_owner_crontab_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_crontab_0:obj:1 of type file_object
FilepathFilterFilter
/etc/crontaboval:ssg-symlink_file_owner_crontab_uid_0:ste:1oval:ssg-state_file_owner_crontab_uid_0_0:ste:1
Verify Permissions on cron.dxccdf_org.ssgproject.content_rule_file_permissions_cron_d medium

Verify Permissions on cron.d

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_d
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_d:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.7
pcidss42.2.6
stigrefSV-257888r925651_rule
Description
To properly set the permissions of /etc/cron.d, run the command:
$ sudo chmod 0700 /etc/cron.d
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.d/  oval:ssg-test_file_permissions_cron_d_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_d_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dno valueoval:ssg-exclude_symlinks__cron_d:ste:1oval:ssg-state_file_permissions_cron_d_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.dailyxccdf_org.ssgproject.content_rule_file_permissions_cron_daily medium

Verify Permissions on cron.daily

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_daily
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_daily:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.4
pcidss42.2.6
stigrefSV-257888r925651_rule
Description
To properly set the permissions of /etc/cron.daily, run the command:
$ sudo chmod 0700 /etc/cron.daily
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.daily/  oval:ssg-test_file_permissions_cron_daily_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_daily_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dailyno valueoval:ssg-exclude_symlinks__cron_daily:ste:1oval:ssg-state_file_permissions_cron_daily_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.hourlyxccdf_org.ssgproject.content_rule_file_permissions_cron_hourly medium

Verify Permissions on cron.hourly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_hourly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_hourly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.3
pcidss42.2.6
stigrefSV-257888r925651_rule
Description
To properly set the permissions of /etc/cron.hourly, run the command:
$ sudo chmod 0700 /etc/cron.hourly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.hourly/  oval:ssg-test_file_permissions_cron_hourly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_hourly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.hourlyno valueoval:ssg-exclude_symlinks__cron_hourly:ste:1oval:ssg-state_file_permissions_cron_hourly_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.monthlyxccdf_org.ssgproject.content_rule_file_permissions_cron_monthly medium

Verify Permissions on cron.monthly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_monthly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_monthly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.6
pcidss42.2.6
stigrefSV-257888r925651_rule
Description
To properly set the permissions of /etc/cron.monthly, run the command:
$ sudo chmod 0700 /etc/cron.monthly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.monthly/  oval:ssg-test_file_permissions_cron_monthly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_monthly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.monthlyno valueoval:ssg-exclude_symlinks__cron_monthly:ste:1oval:ssg-state_file_permissions_cron_monthly_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.weeklyxccdf_org.ssgproject.content_rule_file_permissions_cron_weekly medium

Verify Permissions on cron.weekly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_weekly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_weekly:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.5
pcidss42.2.6
stigrefSV-257888r925651_rule
Description
To properly set the permissions of /etc/cron.weekly, run the command:
$ sudo chmod 0700 /etc/cron.weekly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.weekly/  oval:ssg-test_file_permissions_cron_weekly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_weekly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.weeklyno valueoval:ssg-exclude_symlinks__cron_weekly:ste:1oval:ssg-state_file_permissions_cron_weekly_0_mode_0700or_stricter_:ste:1
Verify Permissions on crontabxccdf_org.ssgproject.content_rule_file_permissions_crontab medium

Verify Permissions on crontab

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_crontab
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_crontab:def:1
Time2024-08-21T12:35:55+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
cis5.1.2
pcidss42.2.6
stigrefSV-257933r925786_rule
Description
To properly set the permissions of /etc/crontab, run the command:
$ sudo chmod 0600 /etc/crontab
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/crontab  oval:ssg-test_file_permissions_crontab_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_crontab_0:obj:1 of type file_object
FilepathFilterFilter
/etc/crontaboval:ssg-exclude_symlinks__crontab:ste:1oval:ssg-state_file_permissions_crontab_0_mode_0600or_stricter_:ste:1
Install fapolicyd Packagexccdf_org.ssgproject.content_rule_package_fapolicyd_installed medium

Install fapolicyd Package

Rule IDxccdf_org.ssgproject.content_rule_package_fapolicyd_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_fapolicyd_installed:def:1
Time2024-08-21T12:39:16+00:00
Severitymedium
References:
disaCCI-001764, CCI-001774
nistCM-6(a), SI-4(22)
os-srgSRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230
stigrefSV-258089r926254_rule
Description
The fapolicyd package can be installed with the following command:
$ sudo dnf install fapolicyd
Rationale
fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:48:55 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package                  Arch       Version                Repository     Size
================================================================================
Installing:
 fapolicyd                x86_64     1.3.2-100.el9          appstream     133 k
Installing dependencies:
 rpm-plugin-fapolicyd     x86_64     4.16.1.3-29.el9        appstream      16 k
Installing weak dependencies:
 fapolicyd-selinux        noarch     1.3.2-100.el9          appstream      23 k

Transaction Summary
================================================================================
Install  3 Packages

Total download size: 172 k
Installed size: 332 k
Downloading Packages:
(1/3): rpm-plugin-fapolicyd-4.16.1.3-29.el9.x86  49 kB/s |  16 kB     00:00    
(2/3): fapolicyd-1.3.2-100.el9.x86_64.rpm       402 kB/s | 133 kB     00:00    
(3/3): fapolicyd-selinux-1.3.2-100.el9.noarch.r  70 kB/s |  23 kB     00:00    
--------------------------------------------------------------------------------
Total                                           332 kB/s | 172 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : rpm-plugin-fapolicyd-4.16.1.3-29.el9.x86_64            1/3 
  Running scriptlet: fapolicyd-selinux-1.3.2-100.el9.noarch                 2/3 
  Installing       : fapolicyd-selinux-1.3.2-100.el9.noarch                 2/3 
  Running scriptlet: fapolicyd-selinux-1.3.2-100.el9.noarch                 2/3 
  Running scriptlet: fapolicyd-1.3.2-100.el9.x86_64                         3/3 
  Installing       : fapolicyd-1.3.2-100.el9.x86_64                         3/3 
  Running scriptlet: fapolicyd-1.3.2-100.el9.x86_64                         3/3 
  Running scriptlet: fapolicyd-selinux-1.3.2-100.el9.noarch                 3/3 
  Running scriptlet: fapolicyd-1.3.2-100.el9.x86_64                         3/3 
  Verifying        : fapolicyd-1.3.2-100.el9.x86_64                         1/3 
  Verifying        : fapolicyd-selinux-1.3.2-100.el9.noarch                 2/3 
  Verifying        : rpm-plugin-fapolicyd-4.16.1.3-29.el9.x86_64            3/3 
Installed products updated.

Installed:
  fapolicyd-1.3.2-100.el9.x86_64                                                
  fapolicyd-selinux-1.3.2-100.el9.noarch                                        
  rpm-plugin-fapolicyd-4.16.1.3-29.el9.x86_64                                   

Complete!
OVAL test results details

package fapolicyd is installed  oval:ssg-test_package_fapolicyd_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_fapolicyd_installed:obj:1 of type rpminfo_object
Name
fapolicyd
Enable the File Access Policy Servicexccdf_org.ssgproject.content_rule_service_fapolicyd_enabled medium

Enable the File Access Policy Service

Rule IDxccdf_org.ssgproject.content_rule_service_fapolicyd_enabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-service_fapolicyd_enabled:def:1
Time2024-08-21T12:39:19+00:00
Severitymedium
References:
disaCCI-001764, CCI-001774
nistCM-6(a), SI-4(22)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230
stigrefSV-258090r926257_rule
Description
The File Access Policy service should be enabled. The fapolicyd service can be enabled with the following command:
$ sudo systemctl enable fapolicyd.service
Rationale
The fapolicyd service (File Access Policy Daemon) implements application whitelisting to decide file access rights.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Created symlink /etc/systemd/system/multi-user.target.wants/fapolicyd.service → /usr/lib/systemd/system/fapolicyd.service.
OVAL test results details

package fapolicyd is installed  oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_fapolicyd_package_fapolicyd_installed:obj:1 of type rpminfo_object
Name
fapolicyd

Test that the fapolicyd service is running  oval:ssg-test_service_running_fapolicyd:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_fapolicyd:obj:1 of type systemdunitproperty_object
UnitProperty
^fapolicyd\.(socket|service)$ActiveState

systemd test  oval:ssg-test_multi_user_wants_fapolicyd:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount
Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed high

Uninstall vsftpd Package

Rule IDxccdf_org.ssgproject.content_rule_package_vsftpd_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_vsftpd_removed:def:1
Time2024-08-21T12:35:56+00:00
Severityhigh
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
disaCCI-000197, CCI-000366, CCI-000381
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii)
nist-csfPR.IP-1, PR.PT-3
os-srgSRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
cis2.2.6
stigrefSV-257826r925465_rule
Description
The vsftpd package can be removed with the following command:
 $ sudo dnf erase vsftpd
Rationale
Removing the vsftpd package decreases the risk of its accidental activation.
OVAL test results details

package vsftpd is removed  oval:ssg-test_package_vsftpd_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type rpminfo_object
Name
vsftpd
Disable Kerberos by removing host keytabxccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab medium

Disable Kerberos by removing host keytab

Rule IDxccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
disaCCI-000803
ism0418, 1055, 1402
osppFTP_ITC_EXT.1
os-srgSRG-OS-000120-GPOS-00061
stigrefSV-258130r926377_rule
Description
Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially /etc/krb5.keytab.
Rationale
The key derivation function (KDF) in Kerberos is not FIPS compatible.
Configure System to Forward All Mail For The Root Accountxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias medium

Configure System to Forward All Mail For The Root Account

Rule IDxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-postfix_client_configure_mail_alias:def:1
Time2024-08-21T12:39:24+00:00
Severitymedium
References:
disaCCI-000139, CCI-000366
nistCM-6(a)
os-srgSRG-OS-000046-GPOS-00022
anssiR75
stigrefSV-258174r926509_rule
Description
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address change_me@localhost is a valid email address reachable from the system in question. Use the following command to configure the alias:
$ sudo echo "root: change_me@localhost" >> /etc/aliases
$ sudo newaliases
Rationale
A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Check if root has the correct mail alias.  oval:ssg-test_postfix_client_configure_mail_alias:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_root_mail_alias:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aliases^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$1
Configure System to Forward All Mail From Postmaster to The Root Accountxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster medium

Configure System to Forward All Mail From Postmaster to The Root Account

Rule IDxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-postfix_client_configure_mail_alias_postmaster:def:1
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
disaCCI-000139
nistAU-5(a), AU-5.1(ii)
os-srgSRG-OS-000046-GPOS-00022
stigrefSV-257953r925846_rule
Description
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root".
$ sudo grep "postmaster:\s*root$" /etc/aliases

postmaster: root
Rationale
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
OVAL test results details

Check if postmaster has the correct mail alias  oval:ssg-test_postfix_client_configure_mail_alias_postmaster:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/aliasespostmaster: root
Prevent Unrestricted Mail Relayingxccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay medium

Prevent Unrestricted Mail Relaying

Rule IDxccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257951r925840_rule
Description
Modify the
/etc/postfix/main.cf
file to restrict client connections to the local network with the following command:
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
Rationale
If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.
The s-nail Package Is Installedxccdf_org.ssgproject.content_rule_package_s-nail_installed medium

The s-nail Package Is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_s-nail_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_s-nail_installed:def:1
Time2024-08-21T12:39:24+00:00
Severitymedium
References:
disaCCI-001744
nistCM-3(5)
os-srgSRG-OS-000363-GPOS-00150
stigrefSV-257842r942959_rule
Description
A mail server is required for sending emails. The s-nail package can be installed with the following command:
$ sudo dnf install s-nail
Rationale
Emails can be used to notify designated personnel about important system events such as failures or warnings.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:49:13 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package        Architecture   Version                  Repository         Size
================================================================================
Installing:
 s-nail         x86_64         14.9.22-6.el9            appstream         621 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 621 k
Installed size: 1.1 M
Downloading Packages:
s-nail-14.9.22-6.el9.x86_64.rpm                 516 kB/s | 621 kB     00:01    
--------------------------------------------------------------------------------
Total                                           450 kB/s | 621 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: s-nail-14.9.22-6.el9.x86_64                            1/1 
  Installing       : s-nail-14.9.22-6.el9.x86_64                            1/1 
  Running scriptlet: s-nail-14.9.22-6.el9.x86_64                            1/1 
  Verifying        : s-nail-14.9.22-6.el9.x86_64                            1/1 
Installed products updated.

Installed:
  s-nail-14.9.22-6.el9.x86_64                                                   

Complete!
OVAL test results details

package s-nail is installed  oval:ssg-test_package_s-nail_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_s-nail_installed:obj:1 of type rpminfo_object
Name
s-nail
Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed medium

Uninstall Sendmail Package

Rule IDxccdf_org.ssgproject.content_rule_package_sendmail_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_sendmail_removed:def:1
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
cis-csc11, 14, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
disaCCI-000381
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049
anssiR62
stigrefSV-257827r925468_rule
Description
Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command:
$ sudo dnf erase sendmail
Rationale
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
OVAL test results details

package sendmail is removed  oval:ssg-test_package_sendmail_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_sendmail_removed:obj:1 of type rpminfo_object
Name
sendmail
Mount Remote Filesystems with Kerberos Securityxccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems medium

Mount Remote Filesystems with Kerberos Security

Rule IDxccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
cis-csc1, 12, 14, 15, 16, 18, 3, 5
cobit5DSS05.04, DSS05.10, DSS06.10
disaCCI-000366
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013A.18.1.4, A.6.1.2, A.9.1.2, A.9.2.1, A.9.2.3, A.9.2.4, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nistCM-7(a), CM-7(b), CM-6(a), IA-2, IA-2(8), IA-2(9), AC-17(a)
nist-csfPR.AC-4, PR.AC-7
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257853r925546_rule
Description
Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
Rationale
When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.
Mount Remote Filesystems with nodevxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems medium

Mount Remote Filesystems with nodev

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
cis-csc11, 13, 14, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06
disaCCI-000366
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2
nistCM-6(a), MP-2
nist-csfPR.IP-1, PR.PT-2, PR.PT-3
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257854r925549_rule
Description
Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
Rationale
Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
Mount Remote Filesystems with noexecxccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems medium

Mount Remote Filesystems with noexec

Rule IDxccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-000366
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistAC-6, AC-6(8), AC-6(10), CM-6(a)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257855r925552_rule
Description
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
Rationale
The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems medium

Mount Remote Filesystems with nosuid

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
disaCCI-000366
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistAC-6, AC-6(1), CM6(a)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257856r925555_rule
Description
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
Rationale
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
Uninstall nfs-utils Packagexccdf_org.ssgproject.content_rule_package_nfs-utils_removed low

Uninstall nfs-utils Package

Rule IDxccdf_org.ssgproject.content_rule_package_nfs-utils_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_nfs-utils_removed:def:1
Time2024-08-21T12:35:56+00:00
Severitylow
References:
os-srgSRG-OS-000095-GPOS-00049
stigrefSV-257828r925471_rule
Description
The nfs-utils package can be removed with the following command:
$ sudo dnf erase nfs-utils
Rationale
nfs-utils provides a daemon for the kernel NFS server and related tools. This package also contains the showmount program. showmount queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, showmount can display the clients which are mounted on that host.
OVAL test results details

package nfs-utils is removed  oval:ssg-test_package_nfs-utils_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_nfs-utils_removed:obj:1 of type rpminfo_object
Name
nfs-utils
The Chrony package is installedxccdf_org.ssgproject.content_rule_package_chrony_installed medium

The Chrony package is installed

Rule IDxccdf_org.ssgproject.content_rule_package_chrony_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_chrony_installed:def:1
Time2024-08-21T12:35:56+00:00
Severitymedium
References:
ism0988, 1405
osppFMT_SMF_EXT.1
pcidssReq-10.4
os-srgSRG-OS-000355-GPOS-00143
anssiR71
pcidss410.6.1
stigrefSV-257943r925816_rule
Description
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. The chrony package can be installed with the following command:
$ sudo dnf install chrony
Rationale
Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.
OVAL test results details

package chrony is installed  oval:ssg-test_package_chrony_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedchronyx86_64(none)1.el94.50:4.5-1.el90chrony-0:4.5-1.el9.x86_64
The Chronyd service is enabledxccdf_org.ssgproject.content_rule_service_chronyd_enabled medium

The Chronyd service is enabled

Rule IDxccdf_org.ssgproject.content_rule_service_chronyd_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_chronyd_enabled:def:1
Time2024-08-21T12:35:58+00:00
Severitymedium
References:
ism0988, 1405
os-srgSRG-OS-000355-GPOS-00143
stigrefSV-257944r925819_rule
Description
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To enable Chronyd service, you can run: # systemctl enable chronyd.service This recommendation only applies if chrony is in use on the system.
Rationale
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
OVAL test results details

package chrony is installed  oval:ssg-test_service_chronyd_package_chrony_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedchronyx86_64(none)1.el94.50:4.5-1.el90chrony-0:4.5-1.el9.x86_64

Test that the chronyd service is running  oval:ssg-test_service_running_chronyd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
truechronyd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_chronyd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
truemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_chronyd_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount
A remote time server for Chrony is configuredxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server medium

A remote time server for Chrony is configured

Rule IDxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_specify_remote_server:def:1
Time2024-08-21T12:35:58+00:00
Severitymedium
References:
disaCCI-000160, CCI-001891
ism0988, 1405
nistCM-6(a), AU-8(1)(a)
pcidssReq-10.4.3
os-srgSRG-OS-000355-GPOS-00143
anssiR71
cis2.1.2
pcidss410.6.2
stigrefSV-257945r925822_rule
Description
Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>
Multiple servers may be configured.
Rationale
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
OVAL test results details

Ensure at least one NTP server is set  oval:ssg-test_chronyd_remote_server:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/chrony.confpool 2.rocky.pool.ntp.org iburst
Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only low

Disable chrony daemon from acting as server

Rule IDxccdf_org.ssgproject.content_rule_chronyd_client_only
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_client_only:def:1
Time2024-08-21T12:39:26+00:00
Severitylow
References:
disaCCI-000381
nistAU-8(1), AU-12(1)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
stigrefSV-257946r925825_rule
Description
The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.
Rationale
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package chrony is installed  oval:ssg-test_service_chronyd_package_chrony_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedchronyx86_64(none)1.el94.50:4.5-1.el90chrony-0:4.5-1.el9.x86_64

Test that the chronyd service is running  oval:ssg-test_service_running_chronyd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
truechronyd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_chronyd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
truemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_chronyd_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

check if port is 0 in /etc/chrony.conf  oval:ssg-test_chronyd_client_only:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_chronyd_port_value:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/chrony.conf^\s*port[\s]+(\S+)1
Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network low

Disable network management of chrony daemon

Rule IDxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_no_chronyc_network:def:1
Time2024-08-21T12:39:26+00:00
Severitylow
References:
disaCCI-000381
nistCM-7(1)
osppFMT_SMF_EXT.1
os-srgSRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
stigrefSV-257947r925828_rule
Description
The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.
Rationale
Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

package chrony is installed  oval:ssg-test_service_chronyd_package_chrony_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedchronyx86_64(none)1.el94.50:4.5-1.el90chrony-0:4.5-1.el9.x86_64

Test that the chronyd service is running  oval:ssg-test_service_running_chronyd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
truechronyd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_chronyd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
truemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_chronyd_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

check if cmdport is 0 in /etc/chrony.conf  oval:ssg-test_chronyd_no_chronyc_network:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_chronyd_cmdport_value:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/chrony.conf^\s*cmdport[\s]+(\S+)1
Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll medium

Configure Time Service Maxpoll Interval

Rule IDxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_or_ntpd_set_maxpoll:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cis-csc1, 14, 15, 16, 3, 5, 6
cobit5APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
disaCCI-001891, CCI-002046
isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
nistCM-6(a), AU-8(1)(b), AU-12(1)
nist-csfPR.PT-1
os-srgSRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146
stigrefSV-257945r925822_rule
Description
The maxpoll should be configured to 16 in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following after each `server`, `pool` or `peer` entry:
maxpoll 16
              
to
server
directives. If using chrony any
pool
directives should be configured too. If no server or pool directives are configured, the rule evaluates to pass.
Rationale
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check if no server entries in /etc/ntp.conf  oval:ssg-test_ntp_no_server:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_no_server_nor_pool:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ntp.conf^server.*1

check if maxpoll is set in /etc/ntp.conf  oval:ssg-test_ntp_set_maxpoll:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ntp.conf^server[\s]+[\S]+.*maxpoll[\s]+(\d+)1

check if all server entries have maxpoll set in /etc/ntp.conf  oval:ssg-test_ntp_all_server_has_maxpoll:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ntp.conf^server[\s]+[\S]+[\s]+(.*)1

check if no server entries have server or pool set in /etc/chrony.conf  oval:ssg-test_chrony_no_server_nor_pool:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/chrony.confpool 2.rocky.pool.ntp.org iburst

check if maxpoll is set in /etc/chrony.conf  oval:ssg-test_chrony_set_maxpoll:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_chrony_set_maxpoll:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/chrony\.(conf|d/.+\.conf)$^(?:server|pool|peer)[\s]+[\S]+.*maxpoll[\s]+(\d+)1

check if all server entries have maxpoll set in /etc/chrony.conf  oval:ssg-test_chrony_all_server_has_maxpoll:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/chrony.confpool 2.rocky.pool.ntp.org iburst
Ensure Chrony is only configured with the server directivexccdf_org.ssgproject.content_rule_chronyd_server_directive medium

Ensure Chrony is only configured with the server directive

Rule IDxccdf_org.ssgproject.content_rule_chronyd_server_directive
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_server_directive:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
disaCCI-001891
os-srgSRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146
stigrefSV-257945r925822_rule
Description
Check that Chrony only has time sources configured with the server directive.
Rationale
Depending on the infrastructure being used the pool directive may not be supported.
Warnings
warning  This rule doesn't come with a remediation, the time source needs to be added by the administrator.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

Ensure at least one time source is set with server directive  oval:ssg-test_chronyd_server_directive_with_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_chronyd_server_directive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/chrony\.(conf|d/.+\.conf)$^[\s]*server.*$1

Ensure no time source is set with pool directive  oval:ssg-test_chronyd_server_directive_no_pool:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_chronyd_no_pool_directive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/chrony\.(conf|d/.+\.conf)$^[\s]+pool.*$1
Uninstall ypserv Packagexccdf_org.ssgproject.content_rule_package_ypserv_removed high

Uninstall ypserv Package

Rule IDxccdf_org.ssgproject.content_rule_package_ypserv_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_ypserv_removed:def:1
Time2024-08-21T12:35:58+00:00
Severityhigh
References:
cis-csc11, 12, 14, 15, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disaCCI-000381
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a), IA-5(1)(c)
nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
pcidssReq-2.2.2
os-srgSRG-OS-000095-GPOS-00049
anssiR62
pcidss42.2.4
stigrefSV-257829r925474_rule
Description
The ypserv package can be removed with the following command:
$ sudo dnf erase ypserv
Rationale
The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Warnings
warning  The package is not available in Red Hat Enterprise Linux 9.
OVAL test results details

package ypserv is removed  oval:ssg-test_package_ypserv_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_ypserv_removed:obj:1 of type rpminfo_object
Name
ypserv
Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed high

Uninstall rsh-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_rsh-server_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rsh-server_removed:def:1
Time2024-08-21T12:35:58+00:00
Severityhigh
References:
cis-csc11, 12, 14, 15, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disaCCI-000381
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a), IA-5(1)(c)
nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000095-GPOS-00049
anssiR62
pcidss42.2.4
stigrefSV-257830r925477_rule
Description
The rsh-server package can be removed with the following command:
$ sudo dnf erase rsh-server
Rationale
The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
Warnings
warning  The package is not available in Red Hat Enterprise Linux 9.
OVAL test results details

package rsh-server is removed  oval:ssg-test_package_rsh-server_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsh-server_removed:obj:1 of type rpminfo_object
Name
rsh-server
Remove Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_host_based_files high

Remove Host-Based Authentication Files

Rule IDxccdf_org.ssgproject.content_rule_no_host_based_files
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_host_based_files:def:1
Time2024-08-21T12:35:59+00:00
Severityhigh
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257955r925852_rule
Description
The shosts.equiv file lists remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
Rationale
The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
OVAL test results details

look for shosts.equiv in /  oval:ssg-test_no_shosts_equiv:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_equiv_files_root:obj:1 of type file_object
BehaviorsPathFilename
no value/shosts.equiv
Remove User Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_user_host_based_files high

Remove User Host-Based Authentication Files

Rule IDxccdf_org.ssgproject.content_rule_no_user_host_based_files
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_user_host_based_files:def:1
Time2024-08-21T12:36:00+00:00
Severityhigh
References:
disaCCI-000366
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257956r925855_rule
Description
The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
Rationale
The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
OVAL test results details

look for .shosts in /  oval:ssg-test_no_shosts:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_files_root:obj:1 of type file_object
BehaviorsPathFilename
no value/.shosts
Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed high

Uninstall telnet-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_telnet-server_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_telnet-server_removed:def:1
Time2024-08-21T12:36:00+00:00
Severityhigh
References:
cis-csc11, 12, 14, 15, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disaCCI-000381
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
pcidssReq-2.2.2
os-srgSRG-OS-000095-GPOS-00049
anssiR62
cis2.2.13
pcidss42.2.4
stigrefSV-257831r925480_rule
Description
The telnet-server package can be removed with the following command:
$ sudo dnf erase telnet-server
Rationale
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
OVAL test results details

package telnet-server is removed  oval:ssg-test_package_telnet-server_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type rpminfo_object
Name
telnet-server
Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed high

Uninstall tftp-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_tftp-server_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_tftp-server_removed:def:1
Time2024-08-21T12:36:00+00:00
Severityhigh
References:
cis-csc11, 12, 14, 15, 3, 8, 9
cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disaCCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
anssiR62
cis2.2.7
pcidss42.2.4
stigrefSV-257835r952171_rule
Description
The tftp-server package can be removed with the following command:
 $ sudo dnf erase tftp-server
Rationale
Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
OVAL test results details

package tftp-server is removed  oval:ssg-test_package_tftp-server_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type rpminfo_object
Name
tftp-server
Ensure tftp Daemon Uses Secure Modexccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode medium

Ensure tftp Daemon Uses Secure Mode

Rule IDxccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:36:00+00:00
Severitymedium
References:
cis-csc11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9
cobit5APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
disaCCI-000366
isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(b), AC-6, CM-7(a)
nist-csfPR.AC-3, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257952r925843_rule
Description
If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the tftp systemd service:
$ sudo systemctl show tftp | grep FragmentPath=
FragmentPath=/etc/systemd/system/tftp.service
and ensure the ExecStart line on that file includes the -s option with a subdirectory:
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
                
Rationale
Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.
Uninstall quagga Packagexccdf_org.ssgproject.content_rule_package_quagga_removed low

Uninstall quagga Package

Rule IDxccdf_org.ssgproject.content_rule_package_quagga_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_quagga_removed:def:1
Time2024-08-21T12:36:00+00:00
Severitylow
References:
cis-csc12, 15, 8
cobit5APO13.01, DSS05.02
disaCCI-000366
isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.13.1.1, A.13.2.1, A.14.1.3
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.PT-4
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257836r925495_rule
Description
The quagga package can be removed with the following command:
 $ sudo dnf erase quagga
Rationale
Routing software is typically used on routers to exchange network topology information with other routers. If routing software is used when not required, system network information may be unnecessarily transmitted across the network.
If there is no need to make the router software available, removing it provides a safeguard against its activation.
OVAL test results details

package quagga is removed  oval:ssg-test_package_quagga_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_quagga_removed:obj:1 of type rpminfo_object
Name
quagga
Verify the SSH Private Key Files Have a Passcodexccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected medium

Verify the SSH Private Key Files Have a Passcode

Rule IDxccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
os-srgSRG-OS-000067-GPOS-00035
stigrefSV-258127r926368_rule
Description
When creating SSH key pairs, always use a passcode.
You can create such keys with the following command:
$ sudo ssh-keygen -n [passphrase]
Red Hat Enterprise Linux 9, for certificate-based authentication, must enforce authorized access to the corresponding private key.
Rationale
If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed.
Evaluation messages
info 
No candidate or applicable check found.
Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive medium

Set SSH Client Alive Count Max

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_keepalive:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
cjis5.5.6
cobit5APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.1.11
disaCCI-000879, CCI-001133, CCI-002361
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistAC-2(5), AC-12, AC-17(a), SC-10, CM-6(a)
nist-csfDE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2
pcidssReq-8.1.8
os-srgSRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
cis5.2.20
pcidss48.2.8
stigrefSV-257995r952196_rule
Description
The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.
Rationale
This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Check the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_keepalive_clientalivecountmax:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_set_keepalive_clientalivecountmax:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Check the value of ClientAliveCountMax setting in /etc/ssh/sshd_config.d/ files  oval:ssg-test_sshd_set_keepalive_clientalivecountmax_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_set_keepalive_clientalivecountmax_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1
Set SSH Client Alive Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout medium

Set SSH Client Alive Interval

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_idle_timeout:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
cjis5.5.6
cobit5APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
cui3.1.11
disaCCI-000879, CCI-001133, CCI-002361
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistCM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a)
nist-csfDE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2
pcidssReq-8.1.8
os-srgSRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175
cis5.2.20
pcidss48.2.8
stigrefSV-257996r952198_rule
Description
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out.

To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval 600
                


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Rationale
Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
Warnings
warning  SSH disconnecting unresponsive clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.
warning  Following conditions may prevent the SSH session to time out:
  • Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
  • Any scp or sftp activity by the same user to the host resets the timeout.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

timeout is configured  oval:ssg-test_sshd_idle_timeout:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_idle_timeout:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$1

timeout is configured in config directory  oval:ssg-test_sshd_idle_timeout_config_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_idle_timeout_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$1
Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth medium

Disable Host-Based Authentication

Rule IDxccdf_org.ssgproject.content_rule_disable_host_auth
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_host_auth:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cis-csc11, 12, 14, 15, 16, 18, 3, 5, 9
cjis5.5.6
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
cui3.1.12
disaCCI-000366
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistAC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3
osppFIA_UAU.1
os-srgSRG-OS-000480-GPOS-00229
cis5.2.8
pcidss48.3.1
stigrefSV-257992r952190_rule
Description
SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
HostbasedAuthentication no
Rationale
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file  oval:ssg-test_disable_host_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_disable_host_auth_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of HostbasedAuthentication is present  oval:ssg-test_HostbasedAuthentication_present_disable_host_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_disable_host_auth:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_disable_host_auth:obj:1 oval:ssg-obj_disable_host_auth_config_dir:obj:1
Enable SSH Server firewalld Firewall Exceptionxccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled medium

Enable SSH Server firewalld Firewall Exception

Rule IDxccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Result
error
Multi-check ruleno
OVAL Definition IDoval:ssg-firewalld_sshd_port_enabled:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cui3.1.12
ism1416
nistAC-17(a), CM-6(b), CM-7(a), CM-7(b)
os-srgSRG-OS-000096-GPOS-00050
stigrefSV-257940r925807_rule
Description
If the SSH server is in use, inbound connections to SSH's port should be allowed to permit remote access through SSH. In more restrictive firewalld settings, the SSH port should be added to the proper firewalld zone in order to allow SSH remote access.

To configure firewalld to allow ssh access, run the following command(s):
firewall-cmd --permanent --add-service=ssh
Then run the following command to load the newly created rule(s):
firewall-cmd --reload
Rationale
If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone will allow remote access through the SSH port.
Warnings
warning  The remediation for this rule uses firewall-cmd and nmcli tools. Therefore, it will only be executed if firewalld and NetworkManager services are running. Otherwise, the remediation will be aborted and a informative message will be shown in the remediation report. These respective services will not be started in order to preserve any intentional change in network components related to firewall and network interfaces.
warning  This rule also checks if the SSH port was modified by the administrator in the firewalld services definitions and is reflecting the expected port number. Although this is checked, fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it is not in the scope of the remediation since there is no reliable way to manually change the respective file. If the default SSH port is modified, it is on the administrator responsibility to ensure the firewalld customizations in the service port level are properly configured.
warning  Red Hat Enterprise Linux 9 prefers and recommends to use NetworkManager keyfiles instead of the ifcfg files stored in /etc/sysconfig/network-scripts. Therefore, if the system was upgraded from a previous release, make sure the NIC configuration files are properly migrated from ifcfg format to NetworkManager keyfiles. Otherwise, this rule won't be able to check the configuration. The migration can be accomplished by nmcli connection migrate command.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
active
inactive
The firewalld or NetworkManager service is not active. Remediation aborted!
info 
Failed to verify applied fix: Checking engine returns: fail

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "firewalld" ; then
    dnf install -y "firewalld"
fi
if ! rpm -q --quiet "NetworkManager" ; then
    dnf install -y "NetworkManager"
fi
firewalld_sshd_zone='public'


if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
    # TODO: NM (nmcli) now has --offline mode support, and it could operate without NM service.
    # See: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1183
    # The feature is not quite straighforward (and probably incomplete), though.
    echo "Not applicable in offline mode. Remediation aborted!"
else
    if systemctl is-active NetworkManager && systemctl is-active firewalld; then
        # First make sure the SSH service is enabled in run-time for the proper zone.
        # This is to avoid connection issues when new interfaces are addeded to this zone.
        firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh

        # This will collect all NetworkManager connections names
        readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
        # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
        # This will not change connections which are already assigned to any firewalld zone.
        for connection in "${nm_connections[@]}"; do
            current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
            if [ $current_zone = "--" ]; then
                nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
            fi
        done
        systemctl restart NetworkManager

        # Active zones are zones with at least one interface assigned to it.
        # It is possible that traffic is comming by any active interface and consequently any
        # active zone. So, this make sure all active zones are permanently allowing SSH service.
        readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
        for zone in "${firewalld_active_zones[@]}"; do
            firewall-cmd --permanent --zone="$zone" --add-service=ssh
        done
        firewall-cmd --reload
    else
        echo "The firewalld or NetworkManager service is not active. Remediation aborted!"
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: XCCDF Value firewalld_sshd_zone # promote to variable
  set_fact:
    firewalld_sshd_zone: !!str public
  tags:
    - always

- name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld and NetworkManager
    packages are installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:
  - firewalld
  - NetworkManager
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-09-251035
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Collect facts about system
    services
  ansible.builtin.service_facts: null
  register: result_services_states
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-09-251035
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Remediation is applicable
    if firewalld and NetworkManager services are running
  block:

  - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
      connections names
    ansible.builtin.shell:
      cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
    register: result_nmcli_cmd_connections_names
    changed_when: false

  - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
      connections zones
    ansible.builtin.shell:
      cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print
        $2}'
    register: result_nmcli_cmd_connections_zones
    changed_when: false
    with_items:
    - '{{ result_nmcli_cmd_connections_names.stdout_lines }}'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager connections
      are assigned to a firewalld zone
    ansible.builtin.command:
      cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone
        }}
    register: result_nmcli_cmd_connections_assignment
    with_together:
    - '{{ result_nmcli_cmd_connections_names.stdout_lines }}'
    - '{{ result_nmcli_cmd_connections_zones.results }}'
    when:
    - item.1.stdout == '--'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager connections
      changes are applied
    ansible.builtin.service:
      name: NetworkManager
      state: restarted
    when:
    - result_nmcli_cmd_connections_assignment is changed

  - name: Enable SSH Server firewalld Firewall Exception - Collect firewalld active
      zones
    ansible.builtin.shell:
      cmd: firewall-cmd --get-active-zones | grep -v interfaces
    register: result_firewall_cmd_zones_names
    changed_when: false

  - name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld zones
      allow SSH
    ansible.builtin.command:
      cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh
    register: result_nmcli_cmd_connections_assignment
    changed_when:
    - '''ALREADY_ENABLED'' not in result_nmcli_cmd_connections_assignment.stderr'
    with_items:
    - '{{ result_firewall_cmd_zones_names.stdout_lines }}'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld changes
      are applied
    ansible.builtin.service:
      name: firewalld
      state: reloaded
    when:
    - result_nmcli_cmd_connections_assignment is changed
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.services['firewalld.service'].state == 'running'
  - ansible_facts.services['NetworkManager.service'].state == 'running'
  tags:
  - DISA-STIG-RHEL-09-251035
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Informative message based
    on services states
  ansible.builtin.assert:
    that:
    - ansible_facts.services['firewalld.service'].state == 'running'
    - ansible_facts.services['NetworkManager.service'].state == 'running'
    fail_msg:
    - firewalld and NetworkManager services are not active. Remediation aborted!
    - This remediation could not be applied because it depends on firewalld and NetworkManager
      services running.
    - The service is not started by this remediation in order to prevent connection
      issues.
    success_msg:
    - Enable SSH Server firewalld Firewall Exception remediation successfully executed
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-09-251035
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
OVAL test results details

All NICs must have a firewalld zone defined in their settings  oval:ssg-test_firewalld_sshd_port_enabled_all_nics_in_zones:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_sshd_port_enabled_network_conf_files_count:obj:1 of type variable_object
Var ref
oval:ssg-var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count:var:1

SSH service is defined in all zones delivered in the firewalld package  oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_sshd_port_enabled_zone_files_usr:obj:1 of type xmlfilecontent_object
PathFilenameXpath
^(dmz|external|home|internal|public|trusted|work)\.xml$/usr/lib/firewalld/zones/zone/service[@name='ssh']

there is no equivalent zone file defined by the administrator in /etc dir  oval:ssg-test_firewalld_sshd_port_enabled_usr_zones_not_overridden:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
not evaluated/etc/firewalld/zones/public.xmlregular00356rw-r--r-- 

SSH service is defined in all zones created or modified by the administrator  oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count:var:11

SSH service is interger in the /usr/lib/firewalld/services dir  oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_usr:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_sshd_port_enabled_ssh_service_file_usr:obj:1 of type xmlfilecontent_object
FilepathXpath
/usr/lib/firewalld/services/ssh.xml/service/port[@port='22']

SSH service is properly configured in /etc/firewalld/services dir  oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_etc:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_sshd_port_enabled_ssh_service_file_etc:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/firewalld/services/ssh.xml<port.*port="(\d+)"1
Disable Compression Or Set Compression to delayedxccdf_org.ssgproject.content_rule_sshd_disable_compression medium

Disable Compression Or Set Compression to delayed

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_compression
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_compression:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cis-csc11, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05
cui3.1.12
disaCCI-000366
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
nistAC-17(a), CM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258002r952200_rule
Description
Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:
Compression no
                
Rationale
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of Compression setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_compression:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_compression:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)Compression(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords high

Disable SSH Access via Empty Passwords

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_empty_passwords:def:1
Time2024-08-21T12:39:26+00:00
Severityhigh
References:
cis-csc11, 12, 13, 14, 15, 16, 18, 3, 5, 9
cjis5.5.6
cobit5APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06
cui3.1.1, 3.1.5
disaCCI-000366, CCI-000766
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistAC-17(a), CM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3
osppFIA_UAU.1
pcidssReq-2.2.4
os-srgSRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227
cis5.2.9
pcidss42.2.6
stigrefSV-257984r952179_rule
Description
Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
Rationale
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_empty_passwords:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_disable_empty_passwords_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of PermitEmptyPasswords is present  oval:ssg-test_PermitEmptyPasswords_present_sshd_disable_empty_passwords:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_disable_empty_passwords:obj:1 oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1
Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth medium

Disable GSSAPI Authentication

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_gssapi_auth:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cis-csc11, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05
cui3.1.12
disaCCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 7.6
ism0418, 1055, 1402
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
nistCM-7(a), CM-7(b), CM-6(a), AC-17(a)
nist-csfPR.IP-1
osppFTP_ITC_EXT.1, FCS_SSH_EXT.1.2
os-srgSRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
stigrefSV-258003r952202_rule
Description
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
GSSAPIAuthentication no
Rationale
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_gssapi_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_gssapi_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/ssh/sshd_config.d/50-redhat.confGSSAPIAuthentication yes

Verify that the value of GSSAPIAuthentication is present  oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/ssh/sshd_config.d/50-redhat.confGSSAPIAuthentication yes
Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth medium

Disable Kerberos Authentication

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_kerb_auth:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cis-csc11, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05
cui3.1.12
disaCCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 7.6
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
nistAC-17(a), CM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1
osppFTP_ITC_EXT.1, FCS_SSH_EXT.1.2
os-srgSRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
stigrefSV-258004r952204_rule
Description
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos. The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
KerberosAuthentication no
Rationale
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_kerb_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_disable_kerb_auth_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of KerberosAuthentication is present  oval:ssg-test_KerberosAuthentication_present_sshd_disable_kerb_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_kerb_auth:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_disable_kerb_auth:obj:1 oval:ssg-obj_sshd_disable_kerb_auth_config_dir:obj:1
Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts medium

Disable SSH Support for .rhosts Files

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_rhosts
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_rhosts:def:1
Time2024-08-21T12:39:26+00:00
Severitymedium
References:
cis-csc11, 12, 14, 15, 16, 18, 3, 5, 9
cjis5.5.6
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
cui3.1.12
disaCCI-000366
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistAC-17(a), CM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3
osppFIA_UAU.1
os-srgSRG-OS-000480-GPOS-00227
cis5.2.11
pcidss42.2.6
stigrefSV-258005r952206_rule
Description
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
IgnoreRhosts yes
Rationale
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_rhosts:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_rhosts:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_disable_rhosts_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of IgnoreRhosts is present  oval:ssg-test_IgnoreRhosts_present_sshd_disable_rhosts:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_rhosts:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_disable_rhosts:obj:1 oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1
Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts medium

Disable SSH Support for User Known Hosts

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_user_known_hosts:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
cis-csc11, 3, 9
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05
cui3.1.12
disaCCI-000366
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
nistAC-17(a), CM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1
osppFIA_UAU.1
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258006r952208_rule
Description
SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
IgnoreUserKnownHosts yes
Rationale
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_user_known_hosts:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_user_known_hosts:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_disable_user_known_hosts_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_user_known_hosts_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of IgnoreUserKnownHosts is present  oval:ssg-test_IgnoreUserKnownHosts_present_sshd_disable_user_known_hosts:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_user_known_hosts:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_disable_user_known_hosts:obj:1 oval:ssg-obj_sshd_disable_user_known_hosts_config_dir:obj:1
Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding medium

Disable X11 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_x11_forwarding:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6(b)
os-srgSRG-OS-000480-GPOS-00227
cis5.2.12
pcidss42.2.6
stigrefSV-258007r952210_rule
Description
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
X11Forwarding no
Rationale
Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_x11_forwarding:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_x11_forwarding:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of X11Forwarding setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_disable_x11_forwarding_config_dir:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/ssh/sshd_config.d/50-redhat.confX11Forwarding yes

Verify that the value of X11Forwarding is present  oval:ssg-test_X11Forwarding_present_sshd_disable_x11_forwarding:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/ssh/sshd_config.d/50-redhat.confX11Forwarding yes
Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env medium

Do Not Allow SSH Environment Options

Rule IDxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_do_not_permit_user_env:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
cis-csc11, 3, 9
cjis5.5.6
cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05
cui3.1.12
disaCCI-000366
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.4.3.2, 4.3.4.3.3
isa-62443-2013SR 7.6
iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
nistAC-17(a), CM-7(a), CM-7(b), CM-6(a)
nist-csfPR.IP-1
pcidssReq-2.2.4
os-srgSRG-OS-000480-GPOS-00229
cis5.2.10
pcidss42.2.6
stigrefSV-257993r952192_rule
Description
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PermitUserEnvironment no
Rationale
SSH environment options potentially allow users to bypass access restriction in some configurations.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_do_not_permit_user_env:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_do_not_permit_user_env_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of PermitUserEnvironment is present  oval:ssg-test_PermitUserEnvironment_present_sshd_do_not_permit_user_env:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_do_not_permit_user_env:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1
Enable PAMxccdf_org.ssgproject.content_rule_sshd_enable_pam medium

Enable PAM

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_pam
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_enable_pam:def:1
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
disaCCI-000877
os-srgSRG-OS-000125-GPOS-00065
cis5.2.6
pcidss42.2.6
stigrefSV-257986r952183_rule
Description
UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. To enable PAM authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
UsePAM yes
Rationale
When UsePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of UsePAM setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_enable_pam:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_pam:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)UsePAM(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of UsePAM setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_enable_pam_config_dir:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/ssh/sshd_config.d/50-redhat.confUsePAM yes

Verify that the value of UsePAM is present  oval:ssg-test_UsePAM_present_sshd_enable_pam:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/ssh/sshd_config.d/50-redhat.confUsePAM yes
Enable Public Key Authenticationxccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth medium

Enable Public Key Authentication

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_enable_pubkey_auth:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
disaCCI-000765, CCI-000766, CCI-000767, CCI-000768
os-srgSRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055
stigrefSV-257983r952177_rule
Description
Enable SSH login with public keys.
The default SSH configuration enables authentication based on public keys. The appropriate configuration is used if no value is set for PubkeyAuthentication.
To explicitly enable Public Key Authentication, add or correct the following /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PubkeyAuthentication yes
Rationale
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of PubkeyAuthentication setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_enable_pubkey_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_pubkey_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of PubkeyAuthentication setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_enable_pubkey_auth_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_pubkey_auth_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of PubkeyAuthentication is present  oval:ssg-test_PubkeyAuthentication_present_sshd_enable_pubkey_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_pubkey_auth:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_enable_pubkey_auth:obj:1 oval:ssg-obj_sshd_enable_pubkey_auth_config_dir:obj:1
Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes medium

Enable Use of Strict Mode Checking

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_enable_strictmodes:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.1.12
disaCCI-000366
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-6, AC-17(a), CM-6(a)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258008r952212_rule
Description
SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
StrictModes yes
Rationale
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of StrictModes setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_enable_strictmodes:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_strictmodes:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of StrictModes setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_enable_strictmodes_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_strictmodes_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of StrictModes is present  oval:ssg-test_StrictModes_present_sshd_enable_strictmodes:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_strictmodes:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_enable_strictmodes:obj:1 oval:ssg-obj_sshd_enable_strictmodes_config_dir:obj:1
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner medium

Enable SSH Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_enable_warning_banner:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cjis5.5.6
cobit5DSS05.04, DSS05.10, DSS06.10
cui3.1.9
disaCCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistAC-8(a), AC-8(c), AC-17(a), CM-6(a)
nist-csfPR.AC-7
osppFTA_TAB.1
pcidssReq-2.2.4
os-srgSRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
stigrefSV-257981r952173_rule
Description
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
Rationale
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of Banner setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_enable_warning_banner:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of Banner setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_enable_warning_banner_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of Banner is present  oval:ssg-test_Banner_present_sshd_enable_warning_banner:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_warning_banner:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_enable_warning_banner:obj:1 oval:ssg-obj_sshd_enable_warning_banner_config_dir:obj:1
Enable SSH Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log medium

Enable SSH Print Last Log

Rule IDxccdf_org.ssgproject.content_rule_sshd_print_last_log
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_print_last_log:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16
cobit5DSS05.04, DSS05.10, DSS06.10
disaCCI-000052
isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
nistAC-9, AC-9(1)
nist-csfPR.AC-7
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258009r952214_rule
Description
Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PrintLastLog yes
Rationale
Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_print_last_log:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_print_last_log:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of PrintLastLog setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_print_last_log_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_print_last_log_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of PrintLastLog is present  oval:ssg-test_PrintLastLog_present_sshd_print_last_log:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_print_last_log:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_print_last_log:obj:1 oval:ssg-obj_sshd_print_last_log_config_dir:obj:1
Force frequent session key renegotiationxccdf_org.ssgproject.content_rule_sshd_rekey_limit medium

Force frequent session key renegotiation

Rule IDxccdf_org.ssgproject.content_rule_sshd_rekey_limit
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_rekey_limit:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
disaCCI-000068
osppFCS_SSH_EXT.1.8
os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000033-GPOS-00014
stigrefSV-257994r952194_rule
Description
The RekeyLimit parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed.
To decrease the default limits, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
RekeyLimit 1G
                  1h
                
Rationale
By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of RekeyLimit setting in the file  oval:ssg-test_sshd_rekey_limit:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_rekey_limit:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*RekeyLimit[\s]+(.*)$1

tests the value of RekeyLimit setting in SSHD config directory  oval:ssg-test_sshd_rekey_limit_config_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_rekey_limit_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[\s]*RekeyLimit[\s]+(.*)$1
Set SSH Daemon LogLevel to VERBOSExccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose medium

Set SSH Daemon LogLevel to VERBOSE

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_loglevel_verbose:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
disaCCI-000067
nerc-cipCIP-007-3 R7.1
nistAC-17(a), AC-17(1), CM-6(a)
pcidssReq-2.2.4
os-srgSRG-OS-000032-GPOS-00013
cis5.2.5
pcidss42.2.6
stigrefSV-257982r952175_rule
Description
The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
LogLevel VERBOSE
Rationale
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO or VERBOSE level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of LogLevel setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_loglevel_verbose:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_loglevel_verbose:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of LogLevel setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_set_loglevel_verbose_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_loglevel_verbose_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of LogLevel is present  oval:ssg-test_LogLevel_present_sshd_set_loglevel_verbose:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_set_loglevel_verbose:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_set_loglevel_verbose:obj:1 oval:ssg-obj_sshd_set_loglevel_verbose_config_dir:obj:1
Enable Use of Privilege Separationxccdf_org.ssgproject.content_rule_sshd_use_priv_separation medium

Enable Use of Privilege Separation

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_priv_separation
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_use_priv_separation:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.1.12
disaCCI-000366
hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-17(a), AC-6
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258010r952216_rule
Description
When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation sandbox
                
Rationale
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of UsePrivilegeSeparation setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_use_priv_separation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_use_priv_separation:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)UsePrivilegeSeparation(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1
Prevent remote hosts from connecting to the proxy displayxccdf_org.ssgproject.content_rule_sshd_x11_use_localhost medium

Prevent remote hosts from connecting to the proxy display

Rule IDxccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_x11_use_localhost:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6(b)
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258011r952218_rule
Description
The SSH daemon should prevent remote hosts from connecting to the proxy display.
The default SSH configuration for X11UseLocalhost is yes, which prevents remote hosts from connecting to the proxy display.
To explicitly prevent remote connections to the proxy display, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: X11UseLocalhost yes
Rationale
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Result of item-state comparisonVar refValue
falseoval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Result of item-state comparisonVar refValue
trueoval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

tests the value of X11UseLocalhost setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_x11_use_localhost:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_x11_use_localhost:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

tests the value of X11UseLocalhost setting in the /etc/ssh/sshd_config.d file  oval:ssg-test_sshd_x11_use_localhost_config_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_x11_use_localhost_config_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/ssh/sshd_config.d.*\.conf$^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

Verify that the value of X11UseLocalhost is present  oval:ssg-test_X11UseLocalhost_present_sshd_x11_use_localhost:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_x11_use_localhost:obj:1 of type textfilecontent54_object
Set
oval:ssg-obj_sshd_x11_use_localhost:obj:1 oval:ssg-obj_sshd_x11_use_localhost_config_dir:obj:1
Install OpenSSH client softwarexccdf_org.ssgproject.content_rule_package_openssh-clients_installed medium

Install OpenSSH client software

Rule IDxccdf_org.ssgproject.content_rule_package_openssh-clients_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_openssh-clients_installed:def:1
Time2024-08-21T12:36:00+00:00
Severitymedium
References:
osppFIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHC_EXT.1
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257980r928960_rule
Description
The openssh-clients package can be installed with the following command:
$ sudo dnf install openssh-clients
Rationale
This package includes utilities to make encrypted connections and transfer files securely to SSH servers.
OVAL test results details

package openssh-clients is installed  oval:ssg-test_package_openssh-clients_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-clientsx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-clients-0:8.7p1-38.el9_4.4.x86_64
Install the OpenSSH Server Packagexccdf_org.ssgproject.content_rule_package_openssh-server_installed medium

Install the OpenSSH Server Package

Rule IDxccdf_org.ssgproject.content_rule_package_openssh-server_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_openssh-server_installed:def:1
Time2024-08-21T12:36:00+00:00
Severitymedium
References:
cis-csc13, 14
cobit5APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06
disaCCI-002418, CCI-002420, CCI-002421, CCI-002422
isa-62443-2013SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a)
nist-csfPR.DS-2, PR.DS-5
osppFIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHS_EXT.1
os-srgSRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
stigrefSV-257978r925921_rule
Description
The openssh-server package should be installed. The openssh-server package can be installed with the following command:
$ sudo dnf install openssh-server
Rationale
Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
OVAL test results details

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64
Enable the OpenSSH Servicexccdf_org.ssgproject.content_rule_service_sshd_enabled medium

Enable the OpenSSH Service

Rule IDxccdf_org.ssgproject.content_rule_service_sshd_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_sshd_enabled:def:1
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
cis-csc13, 14
cobit5APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06
cui3.1.13, 3.5.4, 3.13.8
disaCCI-002418, CCI-002420, CCI-002421, CCI-002422
isa-62443-2013SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4)
nist-csfPR.DS-2, PR.DS-5
os-srgSRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
stigrefSV-257979r925924_rule
Description
The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
Rationale
Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
OVAL test results details

package openssh-server is installed  oval:ssg-test_service_sshd_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedopenssh-serverx86_64(none)38.el9_4.48.7p10:8.7p1-38.el9_4.40openssh-server-0:8.7p1-38.el9_4.4.x86_64

Test that the sshd service is running  oval:ssg-test_service_running_sshd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
truesshd.serviceActiveStateactive
falsesshd.socketActiveStateinactive

systemd test  oval:ssg-test_multi_user_wants_sshd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
truemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_sshd_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount
Verify Group Who Owns SSH Server config filexccdf_org.ssgproject.content_rule_file_groupowner_sshd_config medium

Verify Group Who Owns SSH Server config file

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_sshd_config:def:1
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-17(a), CM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis5.2.1
stigrefSV-257997r925978_rule
Description
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/ssh/sshd_config  oval:ssg-test_file_groupowner_sshd_config_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type file_object
FilepathFilterFilter
/etc/ssh/sshd_configoval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1
Verify Owner on SSH Server config filexccdf_org.ssgproject.content_rule_file_owner_sshd_config medium

Verify Owner on SSH Server config file

Rule IDxccdf_org.ssgproject.content_rule_file_owner_sshd_config
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_sshd_config:def:1
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-17(a), CM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis5.2.1
stigrefSV-257998r925981_rule
Description
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/ssh/sshd_config  oval:ssg-test_file_owner_sshd_config_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type file_object
FilepathFilterFilter
/etc/ssh/sshd_configoval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1
Verify Permissions on SSH Server config filexccdf_org.ssgproject.content_rule_file_permissions_sshd_config medium

Verify Permissions on SSH Server config file

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_config
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_sshd_config:def:1
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-17(a), CM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis5.2.1
pcidss42.2.6
stigrefSV-257999r925984_rule
Description
To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/ssh/sshd_config  oval:ssg-test_file_permissions_sshd_config_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_config_0:obj:1 of type file_object
FilepathFilterFilter
/etc/ssh/sshd_configoval:ssg-exclude_symlinks__sshd_config:ste:1oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1
Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key medium

Verify Permissions on SSH Server Private *_key Key Files

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_sshd_private_key:def:1
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.1.13, 3.13.10
disaCCI-000366
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-17(a), CM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-2.2.4
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis5.2.2
pcidss42.2.6
stigrefSV-258000r925987_rule
Description
SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.
Rationale
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
OVAL test results details

No keys that have unsafe ownership/permissions combination exist  oval:ssg-test_no_offending_keys:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_offending_keys:obj:1 of type file_object
PathFilenameFilterFilterFilter
/etc/ssh.*_key$oval:ssg-exclude_symlinks__sshd_private_key:ste:1oval:ssg-filter_ssh_key_owner_root:ste:1oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key medium

Verify Permissions on SSH Server Public *.pub Key Files

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_sshd_pub_key:def:1
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
cis-csc12, 13, 14, 15, 16, 18, 3, 5
cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
cui3.1.13, 3.13.10
disaCCI-000366
isa-62443-20094.3.3.7.3
isa-62443-2013SR 2.1, SR 5.2
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistAC-17(a), CM-6(a), AC-6(1)
nist-csfPR.AC-4, PR.DS-5
pcidssReq-2.2.4
os-srgSRG-OS-000480-GPOS-00227
anssiR50
cis5.2.3
pcidss42.2.6
stigrefSV-258001r925990_rule
Description
To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub
Rationale
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
OVAL test results details

Testing mode of /etc/ssh/  oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/ssh^.*\.pub$oval:ssg-exclude_symlinks__sshd_pub_key:ste:1oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1
Certificate status checking in SSSDxccdf_org.ssgproject.content_rule_sssd_certificate_verification medium

Certificate status checking in SSSD

Rule IDxccdf_org.ssgproject.content_rule_sssd_certificate_verification
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sssd_certificate_verification:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
disaCCI-001948, CCI-001954
nistIA-2(11)
os-srgSRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162
stigrefSV-258123r926356_rule
Description
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards. Configuring certificate_verification to ocsp_dgst=sha512 ensures that certificates for multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
Rationale
Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP) ensures the security of the system.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

test the value of certificate_verification in sssd configuration  oval:ssg-test_sssd_certificate_verification:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_certificate_verification:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sssd/(sssd|conf\.d/.*)\.conf$^[\s]*\[sssd](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*ocsp_dgst=(\w+)$1
Enable Certmap in SSSDxccdf_org.ssgproject.content_rule_sssd_enable_certmap medium

Enable Certmap in SSSD

Rule IDxccdf_org.ssgproject.content_rule_sssd_enable_certmap
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-sssd_enable_certmap:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
disaCCI-000187
nistIA-5 (2) (c)
os-srgSRG-OS-000068-GPOS-00036
stigrefSV-258132r926383_rule
Description
SSSD should be configured to verify the certificate of the user or group. To set this up ensure that section like certmap/testing.test/rule_name is setup in /etc/sssd/sssd.conf. For example
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
Rationale
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
Warnings
warning  Automatic remediation of this control is not available, since all of the settings in in the certmap need to be customized.
Evaluation messages
info 
No suitable fix found.
OVAL test results details

tests the presence of '\[certmap\/.+\/.+\]' setting in the /etc/sssd/sssd.conf file  oval:ssg-test_sssd_enable_certmap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_enable_certmap:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sssd/sssd.conf^[\s]*\[certmap\/.+\/.+\][\s]*$1
Enable Smartcards in SSSDxccdf_org.ssgproject.content_rule_sssd_enable_smartcards medium

Enable Smartcards in SSSD

Rule IDxccdf_org.ssgproject.content_rule_sssd_enable_smartcards
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sssd_enable_smartcards:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
disaCCI-001954, CCI-000765, CCI-000766, CCI-000767, CCI-000768
ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
pcidssReq-8.3
os-srgSRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055
stigrefSV-258122r926353_rule
Description
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set pam_cert_auth to True under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
pam_cert_auth = True
Add or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include "try_cert_auth" or "require_cert_auth" option, like in the following example:
/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
Also add or update "pam_sss.so" line in auth section of "/etc/pam.d/smartcard-auth" file to include the "allow_missing_name" option, like in the following example:
/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multi-Factor Authentication (MFA) solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Current configuration is valid.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf:
  - set "pam_cert_auth = True" in [pam] section

Backup stored at /var/lib/authselect/backups/2024-08-21-12-39-27.VmWAkf
Changes were successfully applied.
OVAL test results details

tests the value of pam_cert_auth setting in the /etc/sssd/sssd.conf file  oval:ssg-test_sssd_enable_smartcards:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_enable_smartcards:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sssd/(sssd\.conf|conf.d/[^/]+\.conf)^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*(\w+)\s*$1

tests the presence of try_cert_auth or require_cert_auth in /etc/pam.d/smartcard-auth  oval:ssg-test_sssd_enable_smartcards_allow_missing_name_smartcard_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_enable_smartcards_smartcard_auth_options:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/smartcard-auth^\s*auth.*?pam_sss\.so(.*)1

tests the presence of try_cert_auth or require_cert_auth in /etc/pam.d/system-auth  oval:ssg-test_sssd_enable_smartcards_cert_auth_system_auth:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/pam.d/system-authauth sufficient pam_sss.so forward_pass
SSSD Has a Correct Trust Anchorxccdf_org.ssgproject.content_rule_sssd_has_trust_anchor medium

SSSD Has a Correct Trust Anchor

Rule IDxccdf_org.ssgproject.content_rule_sssd_has_trust_anchor
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:36:02+00:00
Severitymedium
References:
disaCCI-000185
nistIA-5 (2) (a)
os-srgSRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167
stigrefSV-258131r926380_rule
Description
SSSD must have acceptable trust anchor present.
Rationale
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.
Warnings
warning  Automatic remediation of this control is not available.
Evaluation messages
info 
No candidate or applicable check found.
Configure SSSD to Expire Offline Credentialsxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration medium

Configure SSSD to Expire Offline Credentials

Rule IDxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-sssd_offline_cred_expiration:def:1
Time2024-08-21T12:39:27+00:00
Severitymedium
References:
cis-csc1, 12, 15, 16, 5
cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
disaCCI-002007
isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nistCM-6(a), IA-5(13)
nist-csfPR.AC-1, PR.AC-6, PR.AC-7
os-srgSRG-OS-000383-GPOS-00166
stigrefSV-258133r926386_rule
Description
SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
Rationale
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

tests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file  oval:ssg-test_sssd_offline_cred_expiration:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_offline_cred_expiration:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*(\d+)\s*(?:#.*)?$1
Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed medium

Install usbguard Package

Rule IDxccdf_org.ssgproject.content_rule_package_usbguard_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_usbguard_installed:def:1
Time2024-08-21T12:39:44+00:00
Severitymedium
References:
disaCCI-001958
ism1418
nistCM-8(3), IA-3
os-srgSRG-OS-000378-GPOS-00163
app-srg-ctrSRG-APP-000141-CTR-000315
stigrefSV-258035r926092_rule
Description
The usbguard package can be installed with the following command:
$ sudo dnf install usbguard
Rationale
usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:49:21 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package                Architecture Version              Repository       Size
================================================================================
Installing:
 usbguard               x86_64       1.0.0-15.el9         appstream       468 k
Installing dependencies:
 libqb                  x86_64       2.0.8-1.el9          appstream        91 k
 protobuf               x86_64       3.14.0-13.el9        appstream       1.0 M
Installing weak dependencies:
 usbguard-selinux       noarch       1.0.0-15.el9         appstream        22 k

Transaction Summary
================================================================================
Install  4 Packages

Total download size: 1.6 M
Installed size: 5.1 M
Downloading Packages:
(1/4): usbguard-selinux-1.0.0-15.el9.noarch.rpm  63 kB/s |  22 kB     00:00    
(2/4): usbguard-1.0.0-15.el9.x86_64.rpm         492 kB/s | 468 kB     00:00    
(3/4): protobuf-3.14.0-13.el9.x86_64.rpm        920 kB/s | 1.0 MB     00:01    
(4/4): libqb-2.0.8-1.el9.x86_64.rpm              95 kB/s |  91 kB     00:00    
--------------------------------------------------------------------------------
Total                                           1.1 MB/s | 1.6 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : libqb-2.0.8-1.el9.x86_64                               1/4 
  Installing       : protobuf-3.14.0-13.el9.x86_64                          2/4 
  Running scriptlet: usbguard-selinux-1.0.0-15.el9.noarch                   3/4 
  Installing       : usbguard-selinux-1.0.0-15.el9.noarch                   3/4 
  Running scriptlet: usbguard-selinux-1.0.0-15.el9.noarch                   3/4 
  Installing       : usbguard-1.0.0-15.el9.x86_64                           4/4 
  Running scriptlet: usbguard-1.0.0-15.el9.x86_64                           4/4 
  Running scriptlet: usbguard-selinux-1.0.0-15.el9.noarch                   4/4 
  Running scriptlet: usbguard-1.0.0-15.el9.x86_64                           4/4 
  Verifying        : usbguard-selinux-1.0.0-15.el9.noarch                   1/4 
  Verifying        : usbguard-1.0.0-15.el9.x86_64                           2/4 
  Verifying        : protobuf-3.14.0-13.el9.x86_64                          3/4 
  Verifying        : libqb-2.0.8-1.el9.x86_64                               4/4 
Installed products updated.

Installed:
  libqb-2.0.8-1.el9.x86_64           protobuf-3.14.0-13.el9.x86_64             
  usbguard-1.0.0-15.el9.x86_64       usbguard-selinux-1.0.0-15.el9.noarch      

Complete!
OVAL test results details

package usbguard is installed  oval:ssg-test_package_usbguard_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_usbguard_installed:obj:1 of type rpminfo_object
Name
usbguard
Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled medium

Enable the USBGuard Service

Rule IDxccdf_org.ssgproject.content_rule_service_usbguard_enabled
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-service_usbguard_enabled:def:1
Time2024-08-21T12:39:47+00:00
Severitymedium
References:
disaCCI-000416, CCI-001958
ism1418
nistCM-8(3)(a), IA-3
osppFMT_SMF_EXT.1
os-srgSRG-OS-000378-GPOS-00163
app-srg-ctrSRG-APP-000141-CTR-000315
stigrefSV-258036r926095_rule
Description
The USBGuard service should be enabled. The usbguard service can be enabled with the following command:
$ sudo systemctl enable usbguard.service
Rationale
The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /usr/lib/systemd/system/usbguard.service.
OVAL test results details

package usbguard is installed  oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1 of type rpminfo_object
Name
usbguard

Test that the usbguard service is running  oval:ssg-test_service_running_usbguard:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_usbguard:obj:1 of type systemdunitproperty_object
UnitProperty
^usbguard\.(socket|service)$ActiveState

systemd test  oval:ssg-test_multi_user_wants_usbguard:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_usbguard_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount
Log USBGuard daemon audit events using Linux Auditxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend low

Log USBGuard daemon audit events using Linux Audit

Rule IDxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
Result
notapplicable
Multi-check ruleno
Time2024-08-21T12:36:03+00:00
Severitylow
References:
disaCCI-000169, CCI-000172
nistAU-2, CM-8(3), IA-3
osppFMT_SMF_EXT.1
os-srgSRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000141-CTR-000315
stigrefSV-258037r926098_rule
Description
To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), AuditBackend option in /etc/usbguard/usbguard-daemon.conf needs to be set to LinuxAudit.
Rationale
Using the Linux Audit logging allows for centralized trace of events.
Generate USBGuard Policyxccdf_org.ssgproject.content_rule_usbguard_generate_policy medium

Generate USBGuard Policy

Rule IDxccdf_org.ssgproject.content_rule_usbguard_generate_policy
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-usbguard_generate_policy:def:1
Time2024-08-21T12:39:48+00:00
Severitymedium
References:
disaCCI-000416, CCI-001958
nistCM-8(3)(a), IA-3
osppFMT_SMF_EXT.1
os-srgSRG-OS-000378-GPOS-00163
stigrefSV-258038r943052_rule
Description
By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration must be generated based on current connected USB devices.
Rationale
The usbguard must be configured to allow connected USB devices to work properly, avoiding the system to become inaccessible.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

Check the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists  oval:ssg-test_usbguard_rules_nonempty:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_usbguard_rules_nonempty:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/usbguard/(rules|rules\.d/.*)\.conf$^.*\S+.*$1
Disable graphical user interfacexccdf_org.ssgproject.content_rule_xwindows_remove_packages medium

Disable graphical user interface

Rule IDxccdf_org.ssgproject.content_rule_xwindows_remove_packages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-xwindows_remove_packages:def:1
Time2024-08-21T12:36:03+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6(b)
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257837r925498_rule
Description
By removing the following packages, the system no longer has X Windows installed. xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:
sudo dnf remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
Rationale
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
Warnings
warning  The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. The rule xwindows_runlevel_target can be used to configure the system to boot into the multi-user.target. If a GUI is an operational requirement, a tailored profile that removes this rule should be used before continuing installation.
OVAL test results details

package xorg-x11-server-Xorg is removed  oval:ssg-package_xorg-x11-server-Xorg_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-Xorg_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-Xorg

package xorg-x11-server-common is removed  oval:ssg-test_package_xorg-x11-server-common_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-common

package xorg-x11-server-utils is removed  oval:ssg-package_xorg-x11-server-utils_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-utils_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-utils

package xorg-x11-server-Xwayland is removed  oval:ssg-package_xorg-x11-server-Xwayland_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-Xwayland_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-Xwayland
Disable X Windows Startup By Setting Default Targetxccdf_org.ssgproject.content_rule_xwindows_runlevel_target medium

Disable X Windows Startup By Setting Default Target

Rule IDxccdf_org.ssgproject.content_rule_xwindows_runlevel_target
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-xwindows_runlevel_target:def:1
Time2024-08-21T12:36:03+00:00
Severitymedium
References:
cis-csc12, 15, 8
cobit5APO13.01, DSS01.04, DSS05.02, DSS05.03
disaCCI-000366
isa-62443-20094.3.3.6.6
isa-62443-2013SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2
nistCM-7(a), CM-7(b), CM-6(a)
nist-csfPR.AC-3, PR.PT-4
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-257781r925330_rule
Description
Systems that do not require a graphical user interface should only boot by default into multi-user.target mode. This prevents accidental booting of the system into a graphical.target mode. Setting the system's default target to multi-user.target will prevent automatic startup of the X server. To do so, run:
$ systemctl set-default multi-user.target
You should see the following output:
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
Rationale
Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented.
OVAL test results details

default.target systemd softlink exists  oval:ssg-test_disable_xwindows_runlevel_target:tst:1  true

Following items have been found on the system:
Result of item-state comparisonFilepathCanonical path
true/etc/systemd/system/default.target/usr/lib/systemd/system/multi-user.target
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod medium

Record Events that Modify the System's Discretionary Access Controls - chmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_chmod:def:1
Time2024-08-21T12:39:53+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258177r926518_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown medium

Record Events that Modify the System's Discretionary Access Controls - chown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_chown:def:1
Time2024-08-21T12:39:53+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258178r926521_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit chown  oval:ssg-test_32bit_ardm_chown_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit chown  oval:ssg-test_64bit_ardm_chown_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit chown  oval:ssg-test_32bit_ardm_chown_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit chown  oval:ssg-test_64bit_ardm_chown_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod medium

Record Events that Modify the System's Discretionary Access Controls - fchmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmod:def:1
Time2024-08-21T12:39:53+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258177r926518_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat medium

Record Events that Modify the System's Discretionary Access Controls - fchmodat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmodat:def:1
Time2024-08-21T12:39:54+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258177r926518_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown medium

Record Events that Modify the System's Discretionary Access Controls - fchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchown:def:1
Time2024-08-21T12:39:54+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258178r926521_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat medium

Record Events that Modify the System's Discretionary Access Controls - fchownat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchownat:def:1
Time2024-08-21T12:39:54+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258178r926521_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr medium

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fremovexattr:def:1
Time2024-08-21T12:39:55+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258179r926524_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 32-bit fremovexattr auid=0  oval:ssg-test_32bit_ardm_fremovexattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr medium

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fsetxattr:def:1
Time2024-08-21T12:39:55+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258179r926524_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 32-bit fsetxattr auid=0  oval:ssg-test_32bit_ardm_fsetxattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown medium

Record Events that Modify the System's Discretionary Access Controls - lchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lchown:def:1
Time2024-08-21T12:39:56+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258178r926521_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr medium

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lremovexattr:def:1
Time2024-08-21T12:39:57+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258179r926524_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 32-bit lremovexattr auid=0  oval:ssg-test_32bit_ardm_lremovexattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr medium

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lsetxattr:def:1
Time2024-08-21T12:39:58+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258179r926524_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 32-bit lsetxattr auid=0  oval:ssg-test_32bit_ardm_lsetxattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr medium

Record Events that Modify the System's Discretionary Access Controls - removexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_removexattr:def:1
Time2024-08-21T12:39:58+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258179r926524_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 32-bit removexattr auid=0  oval:ssg-test_32bit_ardm_removexattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr medium

Record Events that Modify the System's Discretionary Access Controls - setxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_setxattr:def:1
Time2024-08-21T12:39:59+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.5
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203
app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235
anssiR73
cis4.1.3.9
pcidss410.3.4
stigrefSV-258179r926524_rule
Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 32-bit setxattr auid=0  oval:ssg-test_32bit_ardm_setxattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_augenrules_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_auditctl_auid_0:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl_auid_0:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - umountxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount medium

Record Events that Modify the System's Discretionary Access Controls - umount

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_umount:def:1
Time2024-08-21T12:39:59+00:00
Severitymedium
References:
disaCCI-000130, CCI-000169, CCI-000172, CCI-002884
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258215r943018_rule
Description
At a minimum, the audit system should collect file system umount changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit umount  oval:ssg-test_32bit_ardm_umount_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_umount_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit umount  oval:ssg-test_32bit_ardm_umount_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_umount_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Events that Modify the System's Discretionary Access Controls - umount2xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2 medium

Record Events that Modify the System's Discretionary Access Controls - umount2

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_umount2:def:1
Time2024-08-21T12:40:00+00:00
Severitymedium
References:
disaCCI-000130, CCI-000169, CCI-000172, CCI-002884
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
anssiR73
stigrefSV-258216r926635_rule
Description
At a minimum, the audit system should collect file system umount2 changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit umount2  oval:ssg-test_32bit_ardm_umount2_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_umount2_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit umount2  oval:ssg-test_64bit_ardm_umount2_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_umount2_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit umount2  oval:ssg-test_32bit_ardm_umount2_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_umount2_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit umount2  oval:ssg-test_64bit_ardm_umount2_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_umount2_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Any Attempts to Run chaclxccdf_org.ssgproject.content_rule_audit_rules_execution_chacl medium

Record Any Attempts to Run chacl

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_chacl:def:1
Time2024-08-21T12:40:00+00:00
Severitymedium
References:
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
cis4.1.3.17
stigrefSV-258181r926530_rule
Description
At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules chacl  oval:ssg-test_audit_rules_execution_chacl_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chacl_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chacl  oval:ssg-test_audit_rules_execution_chacl_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chacl_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Any Attempts to Run setfaclxccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl medium

Record Any Attempts to Run setfacl

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_setfacl:def:1
Time2024-08-21T12:40:00+00:00
Severitymedium
References:
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
cis4.1.3.16
stigrefSV-258182r926533_rule
Description
At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules setfacl  oval:ssg-test_audit_rules_execution_setfacl_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfacl_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl setfacl  oval:ssg-test_audit_rules_execution_setfacl_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfacl_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon medium

Record Any Attempts to Run chcon

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_chcon:def:1
Time2024-08-21T12:40:00+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
cis4.1.3.15
stigrefSV-258183r926536_rule
Description
At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules chcon  oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chcon  oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage medium

Record Any Attempts to Run semanage

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_semanage:def:1
Time2024-08-21T12:40:00+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250
stigrefSV-258184r926539_rule
Description
At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules semanage  oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl semanage  oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles medium

Record Any Attempts to Run setfiles

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_setfiles:def:1
Time2024-08-21T12:40:00+00:00
Severitymedium
References:
disaCCI-000169, CCI-000172, CCI-002884
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250
stigrefSV-258185r926542_rule
Description
At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules setfiles  oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl setfiles  oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool medium

Record Any Attempts to Run setsebool

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_setsebool:def:1
Time2024-08-21T12:40:00+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250
stigrefSV-258186r926545_rule
Description
At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules setsebool  oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl setsebool  oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename medium

Ensure auditd Collects File Deletion Events by User - rename

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_rename:def:1
Time2024-08-21T12:40:01+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.7
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
anssiR73
cis4.1.3.13
pcidss410.2.1.7
stigrefSV-258187r926548_rule
Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit rename  oval:ssg-test_32bit_ardm_rename_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit rename  oval:ssg-test_64bit_ardm_rename_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit rename  oval:ssg-test_32bit_ardm_rename_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit rename  oval:ssg-test_64bit_ardm_rename_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat medium

Ensure auditd Collects File Deletion Events by User - renameat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_renameat:def:1
Time2024-08-21T12:40:02+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.7
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
anssiR73
cis4.1.3.13
pcidss410.2.1.7
stigrefSV-258187r926548_rule
Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir medium

Ensure auditd Collects File Deletion Events by User - rmdir

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_rmdir:def:1
Time2024-08-21T12:40:04+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.7
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
anssiR73
pcidss410.2.1.7
stigrefSV-258187r926548_rule
Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit rmdir  oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit rmdir  oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit rmdir  oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit rmdir  oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat medium

Ensure auditd Collects File Deletion Events by User - unlinkat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_unlinkat:def:1
Time2024-08-21T12:40:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.7
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
anssiR73
cis4.1.3.13
pcidss410.2.1.7
stigrefSV-258187r926548_rule
Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat medium

Record Unsuccessful Access Attempts to Files - creat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1
Time2024-08-21T12:40:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.4, Req-10.2.1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
app-srg-ctrSRG-APP-000495-CTR-001235
anssiR73
cis4.1.3.7
stigrefSV-258188r926551_rule
Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules1

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules1

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules1
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate medium

Record Unsuccessful Access Attempts to Files - ftruncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1
Time2024-08-21T12:40:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.4, Req-10.2.1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
app-srg-ctrSRG-APP-000495-CTR-001235
anssiR73
cis4.1.3.7
stigrefSV-258188r926551_rule
Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open medium

Record Unsuccessful Access Attempts to Files - open

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open:def:1
Time2024-08-21T12:40:07+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.4, Req-10.2.1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
app-srg-ctrSRG-APP-000495-CTR-001235
anssiR73
cis4.1.3.7
stigrefSV-258188r926551_rule
Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1
Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at medium

Record Unsuccessful Access Attempts to Files - open_by_handle_at

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1
Time2024-08-21T12:40:07+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.4, Req-10.2.1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258188r926551_rule
Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat medium

Record Unsuccessful Access Attempts to Files - openat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1
Time2024-08-21T12:40:07+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.4, Req-10.2.1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
app-srg-ctrSRG-APP-000495-CTR-001235
anssiR73
cis4.1.3.7
stigrefSV-258188r926551_rule
Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate medium

Record Unsuccessful Access Attempts to Files - truncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1
Time2024-08-21T12:40:08+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.4, Req-10.2.1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
app-srg-ctrSRG-APP-000495-CTR-001235
anssiR73
cis4.1.3.7
stigrefSV-258188r926551_rule
Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules1
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete medium

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_delete:def:1
Time2024-08-21T12:40:09+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.7
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280
anssiR73
cis4.1.3.19
stigrefSV-258189r926554_rule
Description
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
Rationale
The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit medium

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_finit:def:1
Time2024-08-21T12:40:10+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.7
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280
anssiR73
cis4.1.3.19
stigrefSV-258190r926557_rule
Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
Rationale
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit finit_module  oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit finit_module  oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit finit_module  oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit finit_module  oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init medium

Ensure auditd Collects Information on Kernel Module Loading - init_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_init:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.7
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280
anssiR73
cis4.1.3.19
stigrefSV-258190r926557_rule
Description
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
Rationale
The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit augenrules 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
truex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Result of item-state comparisonMachine classNode nameOs nameOs releaseOs versionProcessor type
falsex86_64rockykinux-rgs-djaga2Linux5.14.0-362.8.1.el9_3.x86_64#1 SMP PREEMPT_DYNAMIC Wed Nov 8 17:36:32 UTC 2023x86_64

audit auditctl 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - initxccdf_org.ssgproject.content_rule_audit_privileged_commands_init medium

Ensure auditd Collects Information on the Use of Privileged Commands - init

Rule IDxccdf_org.ssgproject.content_rule_audit_privileged_commands_init
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_privileged_commands_init:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
disaCCI-000172
nistAU-12(c)
os-srgSRG-OS-000477-GPOS-00222
stigrefSV-258211r926620_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of the init command may cause availability issues for the system.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules init  oval:ssg-test_audit_privileged_commands_init_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_init_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/init(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl init  oval:ssg-test_audit_privileged_commands_init_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_init_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/init(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - poweroffxccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff medium

Ensure auditd Collects Information on the Use of Privileged Commands - poweroff

Rule IDxccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_privileged_commands_poweroff:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
disaCCI-000172
nistAU-12(c)
os-srgSRG-OS-000477-GPOS-00222
stigrefSV-258212r926623_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of the poweroff command may cause availability issues for the system.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules poweroff  oval:ssg-test_audit_privileged_commands_poweroff_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_poweroff_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/poweroff(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl poweroff  oval:ssg-test_audit_privileged_commands_poweroff_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_poweroff_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/poweroff(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - rebootxccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot medium

Ensure auditd Collects Information on the Use of Privileged Commands - reboot

Rule IDxccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_privileged_commands_reboot:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
disaCCI-000172
nistAU-12(c)
os-srgSRG-OS-000477-GPOS-00222
stigrefSV-258213r926626_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of the reboot command may cause availability issues for the system.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules reboot  oval:ssg-test_audit_privileged_commands_reboot_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_reboot_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/reboot(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl reboot  oval:ssg-test_audit_privileged_commands_reboot_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_reboot_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/reboot(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - shutdownxccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown medium

Ensure auditd Collects Information on the Use of Privileged Commands - shutdown

Rule IDxccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_privileged_commands_shutdown:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
disaCCI-000172
nistAU-12(c)
os-srgSRG-OS-000477-GPOS-00222
stigrefSV-258214r926629_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of the shutdown command may cause availability issues for the system.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules shutdown  oval:ssg-test_audit_privileged_commands_shutdown_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_shutdown_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/shutdown(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl shutdown  oval:ssg-test_audit_privileged_commands_shutdown_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_shutdown_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/shutdown(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage medium

Ensure auditd Collects Information on the Use of Privileged Commands - chage

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chage:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
stigrefSV-258191r926560_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules chage  oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chage  oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh medium

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chsh:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258192r926563_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab medium

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_crontab:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258193r926566_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd medium

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_gpasswd:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
stigrefSV-258194r926569_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - kmodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod medium

Ensure auditd Collects Information on the Use of Privileged Commands - kmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_kmod:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
nistAU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a)
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280
anssiR73
cis4.1.3.19
stigrefSV-258195r926572_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules kmod  oval:ssg-test_audit_rules_privileged_commands_kmod_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_kmod_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl kmod  oval:ssg-test_audit_rules_privileged_commands_kmod_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_kmod_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - mountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount medium

Ensure auditd Collects Information on the Use of Privileged Commands - mount

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_mount:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085
stigrefSV-258210r926617_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules mount  oval:ssg-test_audit_rules_privileged_commands_mount_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl mount  oval:ssg-test_audit_rules_privileged_commands_mount_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp medium

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_newgrp:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
stigrefSV-258196r926575_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check medium

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
stigrefSV-258197r926578_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd medium

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_passwd:def:1
Time2024-08-21T12:40:11+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
stigrefSV-258198r926581_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop medium

Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_postdrop:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258199r926584_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules postdrop  oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl postdrop  oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue medium

Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_postqueue:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258200r926587_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules postqueue  oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl postqueue  oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Record Any Attempts to Run ssh-agentxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent medium

Record Any Attempts to Run ssh-agent

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_ssh_agent:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258201r926590_rule
Description
At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules ssh_agent  oval:ssg-test_audit_rules_privileged_commands_ssh_agent_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_agent_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/ssh-agent(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl ssh_agent  oval:ssg-test_audit_rules_privileged_commands_ssh_agent_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_agent_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/ssh-agent(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign medium

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
stigrefSV-258202r926593_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su medium

Ensure auditd Collects Information on the Use of Privileged Commands - su

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_su:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
stigrefSV-258203r926596_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules su  oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl su  oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo medium

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_sudo:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
anssiR33
stigrefSV-258204r926599_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit medium

Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_sudoedit:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258205r926602_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules sudoedit  oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudoedit  oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount medium

Ensure auditd Collects Information on the Use of Privileged Commands - umount

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_umount:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085
stigrefSV-258180r926527_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules umount  oval:ssg-test_audit_rules_privileged_commands_umount_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl umount  oval:ssg-test_audit_rules_privileged_commands_umount_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd medium

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5
nistAC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
stigrefSV-258206r926605_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - unix_updatexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update medium

Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_unix_update:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258207r926608_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules unix_update  oval:ssg-test_audit_rules_privileged_commands_unix_update_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_update_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_update(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl unix_update  oval:ssg-test_audit_rules_privileged_commands_unix_update_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_update_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_update(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper medium

Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_userhelper:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
osppFAU_GEN.1.1.c
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
app-srg-ctrSRG-APP-000495-CTR-001235
stigrefSV-258208r926611_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules userhelper  oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl userhelper  oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Ensure auditd Collects Information on the Use of Privileged Commands - usermodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod medium

Ensure auditd Collects Information on the Use of Privileged Commands - usermod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_usermod:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
cis4.1.3.18
stigrefSV-258209r926614_rule
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules usermod  oval:ssg-test_audit_rules_privileged_commands_usermod_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usermod_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl usermod  oval:ssg-test_audit_rules_privileged_commands_usermod_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usermod_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable medium

Make the auditd Configuration Immutable

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_immutable
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_immutable:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.3.1, 3.4.3
disaCCI-000162, CCI-000163, CCI-000164
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistAC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.5.2
os-srgSRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
app-srg-ctrSRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250
anssiR73
cis4.1.3.20
pcidss410.3.2
stigrefSV-258229r926674_rule
Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable:
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.
Rationale
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules configuration locked  oval:ssg-test_ari_locked_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^\-e\s+2\s*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl configuration locked  oval:ssg-test_ari_locked_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^\-e\s+2\s*$1
Ensure auditd Collects System Administrator Actions - /etc/sudoersxccdf_org.ssgproject.content_rule_audit_rules_sudoers medium

Ensure auditd Collects System Administrator Actions - /etc/sudoers

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_sudoers
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_sudoers:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
disaCCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884
os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275
stigrefSV-258217r926638_rule
Description
At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
Rationale
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules sudoers  oval:ssg-test_audit_rules_sudoers_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudoers  oval:ssg-test_audit_rules_sudoers_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d medium

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_sudoers_d:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
disaCCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884
os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275
stigrefSV-258218r926641_rule
Description
At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers.d/ -p wa -k actions
Rationale
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules sudoers  oval:ssg-test_audit_rules_sudoers_d_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_d_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudoers  oval:ssg-test_audit_rules_sudoers_d_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_d_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1
Record Events When Privileged Executables Are Runxccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function medium

Record Events When Privileged Executables Are Run

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_suid_privilege_function:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
disaCCI-001814, CCI-001882, CCI-001889, CCI-001880, CCI-001881, CCI-001878, CCI-001879, CCI-001875, CCI-001877, CCI-001914, CCI-002233, CCI-002234
nistCM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9)
os-srgSRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127
app-srg-ctrSRG-APP-000343-CTR-000780, SRG-APP-000381-CTR-000905
pcidss410.2.1.2
stigrefSV-258176r926515_rule
Description
Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command:
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit uid privileged function  oval:ssg-test_32bit_uid_privileged_function_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_uid_privileged_function_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 64-bit uid privileged function  oval:ssg-test_64bit_uid_privileged_function_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_uid_privileged_function_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 32-bit gid privileged function  oval:ssg-test_32bit_gid_privileged_function_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_gid_privileged_function_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit augenrules 64-bit gid privileged function  oval:ssg-test_64bit_gid_privileged_function_augenrules:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_gid_privileged_function_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit uid privileged function  oval:ssg-test_32bit_uid_privileged_function_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_uid_privileged_function_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 64-bit uid privileged_function  oval:ssg-test_64bit_uid_privileged_function_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_uid_privileged_function_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 32-bit gid privileged function  oval:ssg-test_32bit_gid_privileged_function_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_gid_privileged_function_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

audit auditctl 64-bit gid privileged_function  oval:ssg-test_64bit_gid_privileged_function_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_gid_privileged_function_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
Shutdown System When Auditing Failures Occurxccdf_org.ssgproject.content_rule_audit_rules_system_shutdown medium

Shutdown System When Auditing Failures Occur

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_system_shutdown:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
cis-csc1, 14, 15, 16, 3, 5, 6
cobit5APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
cui3.3.1, 3.3.4
disaCCI-000139, CCI-000140
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
nistAU-5(b), SC-24, CM-6(a)
nist-csfPR.PT-1
os-srgSRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023
stigrefSV-258227r926668_rule
Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to to the bottom of a file with suffix .rules in the directory /etc/audit/rules.d:
-f 2
              
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the bottom of the /etc/audit/audit.rules file:
-f 2
              
Rationale
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules configuration shutdown  oval:ssg-test_ars_shutdown_augenrules:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/rules.d/audit.rules-f 1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl configuration shutdown  oval:ssg-test_ars_shutdown_auditctl:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/audit.rules-f 1
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group medium

Record Events that Modify User/Group Information - /etc/group

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_group:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.5
os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275
anssiR73
cis4.1.3.8
pcidss410.2.1.5
stigrefSV-258219r926644_rule
Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules group  oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_augen:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit group  oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow medium

Record Events that Modify User/Group Information - /etc/gshadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_gshadow:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.5
os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275
anssiR73
cis4.1.3.8
pcidss410.2.1.5
stigrefSV-258220r926647_rule
Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_augen:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd medium

Record Events that Modify User/Group Information - /etc/security/opasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_opasswd:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.5
os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000503-CTR-001275
anssiR73
cis4.1.3.8
pcidss410.2.1.5
stigrefSV-258221r926650_rule
Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_augen:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd medium

Record Events that Modify User/Group Information - /etc/passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_passwd:def:1
Time2024-08-21T12:39:52+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.5
os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275
anssiR73
cis4.1.3.8
pcidss410.2.1.5
stigrefSV-258222r926653_rule
Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_augen:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow medium

Record Events that Modify User/Group Information - /etc/shadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_shadow:def:1
Time2024-08-21T12:39:53+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.1.7
disaCCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.2.5
os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275
anssiR73
cis4.1.3.8
pcidss410.2.1.5
stigrefSV-258223r926656_rule
Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_augen:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1
System Audit Directories Must Be Group Owned By Rootxccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit medium

System Audit Directories Must Be Group Owned By Root

Rule IDxccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-directory_group_ownership_var_log_audit:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
cui3.3.1
disaCCI-000162, CCI-000163, CCI-000164, CCI-001314
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1), AU-9(4)
nist-csfDE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.5.1
os-srgSRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
stigrefSV-258165r926482_rule
Description
All audit directories must be group owned by root user. By default, the path for audit log is
/var/log/audit/
. To properly set the group owner of /var/log/audit, run the command:
$ sudo chgrp root /var/log/audit
If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit directories to this specific group.
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

/var/log/audit directories uid root gid root  oval:ssg-test_group_ownership_var_log_audit_directories:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_var_log_audit_directories:obj:1 of type file_object
BehaviorsPathFilenameFilter
/var/log/audit/audit.log
/var/log/audit
no valueno valueoval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

/var/log/audit directories uid root gid root  oval:ssg-test_group_ownership_default_var_log_audit_directories:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_default_var_log_audit_directories:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/auditno valueoval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1

log_group = root  oval:ssg-test_auditd_conf_log_group_not_root:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.conflog_group = root

log_group is set  oval:ssg-test_auditd_conf_log_group_is_set:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.conflog_group = root

/var/log/audit directories uid root gid root  oval:ssg-test_group_ownership_var_log_audit_directories-non_root:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_var_log_audit_directories-non_root:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/auditno valueoval:ssg-state_group_owner_not_root_var_log_audit_directories-non_root:ste:1
System Audit Directories Must Be Owned By Rootxccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit medium

System Audit Directories Must Be Owned By Root

Rule IDxccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-directory_ownership_var_log_audit:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
cui3.3.1
disaCCI-000162, CCI-000163, CCI-000164, CCI-001314
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nistCM-6(a), AC-6(1), AU-9(4)
nist-csfDE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.5.1
os-srgSRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
stigrefSV-258166r926485_rule
Description
All audit directories must be owned by root user. By default, the path for audit log is
/var/log/audit/
. To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit 
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

log_file's directory uid root gid root  oval:ssg-test_user_ownership_var_log_audit_path:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_var_log_audit_path:obj:1 of type file_object
PathFilenameFilter
/var/log/audit
/var/log/audit
/var/log/audit
/var/log/audit
/var/log/audit
/var/log/audit/audit.log
no valueoval:ssg-state_owner_not_root_var_log_audit_directories:ste:1

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

/var/log/audit directories uid root gid root  oval:ssg-test_user_ownership_var_log_audit_directories:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_var_log_audit_directories:obj:1 of type file_object
PathFilenameFilter
/var/log/auditno valueoval:ssg-state_owner_not_root_var_log_audit_directories:ste:1
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit medium

System Audit Logs Must Have Mode 0640 or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_var_log_audit:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
cui3.3.1
disaCCI-000162, CCI-000163, CCI-000164, CCI-001314
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nistCM-6(a), AC-6(1), AU-9(4)
nist-csfDE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.5
os-srgSRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
app-srg-ctrSRG-APP-000118-CTR-000240
cis4.1.4.1
pcidss410.3.1
stigrefSV-258167r926488_rule
Description
Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command:
$ sudo chmod 0600 audit_log_file
              
By default, audit_log_file is "/var/log/audit/audit.log".
Rationale
If users can write to audit logs, audit trails can be modified or destroyed.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

audit log files mode 0600  oval:ssg-test_file_permissions_audit_log:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_files:obj:1 of type file_object
FilepathFilter
/var/log/audit/audit.logoval:ssg-state_not_mode_0600:ste:1

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

default audit log files mode 0600  oval:ssg-test_file_permissions_default_audit_log:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_default_log_files:obj:1 of type file_object
FilepathFilter
/var/log/audit/audit.logoval:ssg-state_not_mode_0600:ste:1
Configure a Sufficiently Large Partition for Audit Logsxccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition medium

Configure a Sufficiently Large Partition for Audit Logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition
Result
notchecked
Multi-check ruleno
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
disaCCI-001849
os-srgSRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
stigrefSV-258155r926452_rule
Description
The Red Hat Enterprise Linux 9 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command:
$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the following command:
$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
Rationale
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Evaluation messages
info 
No candidate or applicable check found.
Configure auditd to use audispd's syslog pluginxccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated medium

Configure auditd to use audispd's syslog plugin

Rule IDxccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_audispd_syslog_plugin_activated:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
cui3.3.1
disaCCI-000136
hipaa164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii)
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1
iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7
nistAU-4(1), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4
osppFAU_GEN.1.1.c
pcidssReq-10.5.3
os-srgSRG-OS-000479-GPOS-00224, SRG-OS-000342-GPOS-00133
pcidss410.3.3
stigrefSV-258145r926422_rule
Description
To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audit/plugins.d/syslog.conf to yes. Restart the auditd service:
$ sudo service auditd restart
Rationale
The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

audispd syslog plugin activated  oval:ssg-test_auditd_audispd_syslog_plugin_activated:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_audispd_syslog_plugin_activated:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/plugins.d/syslog.conf^[ ]*active[ ]+=[ ]+yes[ ]*$1
Configure auditd Disk Error Action on Disk Errorxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig medium

Configure auditd Disk Error Action on Disk Error

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_disk_error_action_stig:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disaCCI-000140
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
os-srgSRG-OS-000047-GPOS-00023
stigrefSV-258153r926446_rule
Description
The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
disk_error_action = ACTION
              
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
Rationale
Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

disk full action  oval:ssg-test_auditd_data_disk_error_action_stig_syslog:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confdisk_error_action = SUSPEND

disk full action  oval:ssg-test_auditd_data_disk_error_action_stig_single:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confdisk_error_action = SUSPEND

disk full action  oval:ssg-test_auditd_data_disk_error_action_stig_halt:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confdisk_error_action = SUSPEND
Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig medium

Configure auditd Disk Full Action when Disk Space Is Full

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_disk_full_action_stig:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disaCCI-000140
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
os-srgSRG-OS-000047-GPOS-00023
stigrefSV-258154r926449_rule
Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
              
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
Rationale
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

disk full action  oval:ssg-test_auditd_data_disk_full_action_stig_syslog:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confdisk_full_action = SUSPEND

disk full action  oval:ssg-test_auditd_data_disk_full_action_stig_single:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confdisk_full_action = SUSPEND

disk full action  oval:ssg-test_auditd_data_disk_full_action_stig_halt:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confdisk_full_action = SUSPEND
Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct medium

Configure auditd mail_acct Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_action_mail_acct:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
cui3.3.1
disaCCI-000139, CCI-001855
hipaa164.312(a)(2)(ii)
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nerc-cipCIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
nistIA-5(1), AU-5(a), AU-5(2), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.7.a
os-srgSRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134
cis4.1.2.3
stigrefSV-258163r926476_rule
Description
The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:
action_mail_acct = root
              
Rationale
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
OVAL test results details

email account for actions  oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/audit/auditd.confaction_mail_acct = root
Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action medium

Configure auditd admin_space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_admin_space_left_action:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
cui3.3.1
disaCCI-000140, CCI-001343, CCI-001855
hipaa164.312(a)(2)(ii)
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.7
os-srgSRG-OS-000343-GPOS-00134
cis4.1.2.3
pcidss410.5.1
stigrefSV-258159r926464_rule
Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
admin_space_left_action = ACTION
              
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
Rationale
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

space left action  oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confadmin_space_left_action = SUSPEND
Configure auditd admin_space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_percentage medium

Configure auditd admin_space_left on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_percentage
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_admin_space_left_percentage:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disaCCI-001855
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.7
os-srgSRG-OS-000343-GPOS-00134
stigrefSV-258158r926461_rule
Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting PERCENTAGE appropriately:
admin_space_left = PERCENTAGE%
Set this value to 5 to cause the system to perform an action.
Rationale
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

admin space left action   oval:ssg-test_auditd_data_retention_admin_space_left_percentage:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_data_retention_admin_space_left_percentage:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/auditd.conf^[\s]*admin_space_left[\s]+=[\s]+(\d+)%[\s]*$1
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig medium

Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_max_log_file_action_stig:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disaCCI-000140
hipaa164.312(a)(2)(ii)
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.7
os-srgSRG-OS-000047-GPOS-00023
app-srg-ctrSRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800
stigrefSV-258160r926467_rule
Description
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
              
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.
Rationale
Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.
OVAL test results details

admin space left action   oval:ssg-test_auditd_data_retention_max_log_file_action_stig_rotate:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/audit/auditd.confmax_log_file_action = ROTATE

admin space left action   oval:ssg-test_auditd_data_retention_max_log_file_action_stig_single:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confmax_log_file_action = ROTATE
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action medium

Configure auditd space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_space_left_action:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
cui3.3.1
disaCCI-001855
hipaa164.312(a)(2)(ii)
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.7
os-srgSRG-OS-000343-GPOS-00134
cis4.1.2.3
pcidss410.5.1
stigrefSV-258157r926458_rule
Description
The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:
space_left_action = ACTION
              
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
Rationale
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

space left action  oval:ssg-test_auditd_data_retention_space_left_action:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confspace_left_action = SYSLOG
Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage medium

Configure auditd space_left on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_space_left_percentage:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
disaCCI-001855
isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
pcidssReq-10.7
os-srgSRG-OS-000343-GPOS-00134
stigrefSV-258156r926455_rule
Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting PERCENTAGE appropriately:
space_left = PERCENTAGE%
Set this value to at least 25 to cause the system to notify the user of an issue.
Rationale
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

admin space left action   oval:ssg-test_auditd_data_retention_space_left_percentage:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_data_retention_space_left_percentage:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/auditd.conf^[\s]*space_left[\s]+=[\s]+(\d+)%[\s]*$1
Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq medium

Set number of records to cause an explicit flush to audit logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_freq
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_freq:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
nistCM-6
osppFAU_GEN.1
os-srgSRG-OS-000051-GPOS-00024
stigrefSV-258168r943024_rule
Description
To configure Audit daemon to issue an explicit flush to disk command after writing 100 records, set freq to 100 in /etc/audit/auditd.conf.
Rationale
If option freq isn't set to 100, the flush to disk may happen after higher number of records, increasing the danger of audit loss.
OVAL test results details

tests the value of freq setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_freq:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/audit/auditd.conffreq = 50
Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events medium

Include Local Events in Audit Logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_local_events
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_local_events:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
disaCCI-000366
nistCM-6
osppFAU_GEN.1
os-srgSRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227
stigrefSV-258164r926479_rule
Description
To configure Audit daemon to include local events in Audit logs, set local_events to yes in /etc/audit/auditd.conf. This is the default setting.
Rationale
If option local_events isn't set to yes only events from network will be aggregated.
OVAL test results details

tests the value of local_events setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_local_events:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/audit/auditd.conflocal_events = yes
Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format low

Resolve information before writing to audit logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_log_format
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_log_format:def:1
Time2024-08-21T12:36:06+00:00
Severitylow
References:
disaCCI-000366
nistCM-6, AU-3
osppFAU_GEN.1.2
os-srgSRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227
app-srg-ctrSRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800
stigrefSV-258169r926494_rule
Description
To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set log_format to ENRICHED in /etc/audit/auditd.conf.
Rationale
If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them.
OVAL test results details

tests the value of log_format setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_log_format:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/audit/auditd.conflog_format = ENRICHED
Set type of computer node name logging in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format medium

Set type of computer node name logging in audit logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_name_format
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_name_format:def:1
Time2024-08-21T12:40:12+00:00
Severitymedium
References:
disaCCI-001851
nistCM-6, AU-3
osppFAU_GEN.1.2
os-srgSRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
pcidss410.2.2
stigrefSV-258161r926470_rule
Description
To configure Audit daemon to use a unique identifier as computer node name in the audit events, set name_format to hostname|fqd|numeric in /etc/audit/auditd.conf.
Rationale
If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish.
Warnings
warning  Whenever the variable
var_auditd_name_format
uses a multiple value option, for example
A|B|C
, the first value will be used when remediating this rule.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

tests the value of name_format setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_name_format:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/audit/auditd.confname_format = NONE
Appropriate Action Must be Setup When the Internal Audit Event Queue is Fullxccdf_org.ssgproject.content_rule_auditd_overflow_action medium

Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

Rule IDxccdf_org.ssgproject.content_rule_auditd_overflow_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_overflow_action:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
disaCCI-001851
nistAU-4(1)
os-srgSRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
stigrefSV-258162r926473_rule
Description
The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action to one of the following values: syslog, single, halt.
Rationale
The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.
OVAL test results details

tests the value of overflow_action setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_overflow_action:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/audit/auditd.confoverflow_action = SYSLOG
Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs medium

Write Audit Logs to the Disk

Rule IDxccdf_org.ssgproject.content_rule_auditd_write_logs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_write_logs:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
nistCM-6
osppFAU_STG.1
os-srgSRG-OS-000480-GPOS-00227
stigrefSV-258170r926497_rule
Description
To configure Audit daemon to write Audit logs to the disk, set write_logs to yes in /etc/audit/auditd.conf. This is the default setting.
Rationale
If write_logs isn't set to yes, the Audit logs will not be written to the disk.
OVAL test results details

tests the value of write_logs setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_write_logs:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/audit/auditd.confwrite_logs = yes

tests the absence of write_logs setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
not evaluated/etc/audit/auditd.confwrite_logs =
Install audispd-plugins Packagexccdf_org.ssgproject.content_rule_package_audispd-plugins_installed medium

Install audispd-plugins Package

Rule IDxccdf_org.ssgproject.content_rule_package_audispd-plugins_installed
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-package_audispd-plugins_installed:def:1
Time2024-08-21T12:39:51+00:00
Severitymedium
References:
osppFMT_SMF_EXT.1
os-srgSRG-OS-000342-GPOS-00133
pcidss410.3.3
stigrefSV-258175r926512_rule
Description
The audispd-plugins package can be installed with the following command:
$ sudo dnf install audispd-plugins
Rationale
audispd-plugins provides plugins for the real-time interface to the audit subsystem, audispd. These plugins can do things like relay events to remote machines or analyze events for suspicious behavior.
Evaluation messages
info 
Fix execution completed and returned: 0
info 
Last metadata expiration check: 2:49:42 ago on Wed Aug 21 09:50:07 2024.
Dependencies resolved.
================================================================================
 Package                Architecture  Version               Repository     Size
================================================================================
Installing:
 audispd-plugins        x86_64        3.1.2-2.el9           baseos         51 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 51 k
Installed size: 118 k
Downloading Packages:
audispd-plugins-3.1.2-2.el9.x86_64.rpm          149 kB/s |  51 kB     00:00    
--------------------------------------------------------------------------------
Total                                            98 kB/s |  51 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : audispd-plugins-3.1.2-2.el9.x86_64                     1/1 
  Running scriptlet: audispd-plugins-3.1.2-2.el9.x86_64                     1/1 
  Verifying        : audispd-plugins-3.1.2-2.el9.x86_64                     1/1 
Installed products updated.

Installed:
  audispd-plugins-3.1.2-2.el9.x86_64                                            

Complete!
OVAL test results details

package audispd-plugins is installed  oval:ssg-test_package_audispd-plugins_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_audispd-plugins_installed:obj:1 of type rpminfo_object
Name
audispd-plugins
Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed medium

Ensure the audit Subsystem is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_audit_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_audit_installed:def:1
Time2024-08-21T12:36:03+00:00
Severitymedium
References:
disaCCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169
hipaa164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
nerc-cipCIP-004-6 R3.3, CIP-007-3 R6.5
nistAC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a)
osppFAU_GEN.1
pcidssReq-10.1
os-srgSRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
anssiR33, R73
cis4.1.1.1
pcidss410.2.1
stigrefSV-258151r926440_rule
Description
The audit package should be installed.
Rationale
The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
OVAL test results details

package audit is installed  oval:ssg-test_package_audit_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedauditx86_64(none)2.el93.1.20:3.1.2-2.el90audit-0:3.1.2-2.el9.x86_64
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled medium

Enable auditd Service

Rule IDxccdf_org.ssgproject.content_rule_service_auditd_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_auditd_enabled:def:1
Time2024-08-21T12:36:06+00:00
Severitymedium
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.3.1, 3.3.2, 3.3.6
disaCCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169
hipaa164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nerc-cipCIP-004-6 R3.3, CIP-007-3 R6.5
nistAC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23)
nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1
pcidssReq-10.1
os-srgSRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
app-srg-ctrSRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310
anssiR33, R73
cis4.1.1.4
pcidss410.2.1
stigrefSV-258152r926443_rule
Description
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
Rationale
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
OVAL test results details

package audit is installed  oval:ssg-test_service_auditd_package_audit_installed:tst:1  true

Following items have been found on the system:
Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
not evaluatedauditx86_64(none)2.el93.1.20:3.1.2-2.el90audit-0:3.1.2-2.el9.x86_64

Test that the auditd service is running  oval:ssg-test_service_running_auditd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitPropertyValue
trueauditd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_auditd:tst:1  true

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
truemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount

systemd test  oval:ssg-test_multi_user_wants_auditd_socket:tst:1  false

Following items have been found on the system:
Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
falsemulti-user.targetbasic.target-.mountsysinit.targetsystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountsystemd-binfmt.servicesystemd-boot-random-seed.serviceswap.targetdev-hugepages.mountldconfig.serviceselinux-autorelabel-mark.servicesystemd-pcrmachine.servicekmod-static-nodes.servicesystemd-ask-password-console.pathsystemd-network-generator.servicesystemd-udevd.servicesystemd-random-seed.servicesystemd-boot-update.servicesystemd-sysctl.servicesystemd-update-done.servicesystemd-tmpfiles-setup.servicesys-kernel-config.mountsystemd-journal-catalog-update.servicesystemd-repart.servicesystemd-journald.servicesystemd-pcrphase.servicesystemd-machine-id-commit.serviceintegritysetup.targetnis-domainname.servicesystemd-hwdb-update.servicelvm2-lvmpolld.socketlocal-fs.targetboot-efi.mountboot.mountsystemd-remount-fs.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-firstboot.serviceproc-sys-fs-binfmt_misc.automountdracut-shutdown.servicedev-mqueue.mountsystemd-update-utmp.servicesys-kernel-tracing.mountsystemd-journal-flush.servicesystemd-udev-trigger.serviceveritysetup.targetsystemd-pcrphase-sysinit.servicesys-fs-fuse-connections.mountcryptsetup.targetsystemd-sysusers.servicelow-memory-monitor.servicesockets.targetsystemd-udevd-kernel.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-coredump.socketdbus.socketsystemd-journald.socketmde_netfilter.socketsssd-kcm.socketsystemd-udevd-control.socketsystemd-initctl.socketmicrocode.servicetimers.targetdnf-makecache.timerlogrotate.timersystemd-tmpfiles-clean.timerpaths.targetslices.target-.slicesystem.sliceomid.servicekdump.serviceNetworkManager.servicesshd.serviceauditd.servicemdmonitor.servicecloud-init.targetcloud-init.servicecloud-init-local.servicecloud-final.servicecloud-config.servicegetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicechronyd.servicerngd.servicesystemd-update-utmp-runlevel.servicersyslog.servicesystemd-logind.servicemde_netfilter.servicesssd.servicesystemd-user-sessions.serviceomsagent-91a8327b-2f67-4e98-8ba5-2e5e8deea124.servicesystemd-ask-password-wall.pathirqbalance.servicecrond.servicewaagent.servicemdatp.serviceremote-fs.targetmnt.mount
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument low

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Rule IDxccdf_org.ssgproject.content_rule_grub2_audit_argument
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_audit_argument:def:1
Time2024-08-21T12:39:52+00:00
Severitylow
References:
cis-csc1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
cjis5.4.1.1
cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui3.3.1
disaCCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6
iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nistAC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1)
nist-csfDE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
osppFAU_GEN.1
pcidssReq-10.3
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095
cis4.1.1.2
pcidss410.7.2
stigrefSV-257796r925375_rule
Description
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. To ensure that audit=1 is added as a kernel command line argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
Rationale
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check kernel command line parameters for audit=1 for all boot entries.  oval:ssg-test_grub2_audit_entries:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-5.14.0-362.8.1.el9_3.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-5.14.0-427.28.1.el9_4.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_audit_argument:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/default/grubGRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root"

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_audit_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument low

Extend Audit Backlog Limit for the Audit Daemon

Rule IDxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
Result
fixed
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_audit_backlog_limit_argument:def:1
Time2024-08-21T12:39:52+00:00
Severitylow
References:
disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001849, CCI-002884
nistCM-6(a)
osppFAU_STG.1, FAU_STG.3
os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
cis4.1.1.3
pcidss410.7.2
stigrefSV-258173r926506_rule
Description
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. To ensure that audit_backlog_limit=8192 is added as a kernel command line argument to newly installed kernels, add audit_backlog_limit=8192 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Rationale
audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.
Evaluation messages
info 
Fix execution completed and returned: 0
OVAL test results details

check kernel command line parameters for audit_backlog_limit=8192 for all boot entries.  oval:ssg-test_grub2_audit_backlog_limit_entries:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/boot/loader/entries/41c1a55a253d4347ba8a12a9fcb0ee42-5.14.0-362.8.1.el9_3.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root
false/boot/loader/entries/0e8db0030bcd4de89b371ed146a40bda-5.14.0-427.28.1.el9_4.x86_64.confoptions root=/dev/mapper/rocky-root ro rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root

check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1  false

Following items have been found on the system:
Result of item-state comparisonPathContent
false/etc/default/grubGRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M rd.lvm.lv=rocky/root"

check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
Result of item-state comparisonPathContent
true/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Scroll back to the first rule
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.